Time to release 0.9.7a.

The tag will be OpenSSL_0_9_7a.
Security fix: Vaudenay timing attack on CBC.
2003-02-19 12:33:55 +00:00 · 2003-02-19 12:04:16 +00:00 · 2003-02-19 11:54:57 +00:00 · 2003-02-19 11:22:18 +00:00 · 2003-02-18 12:15:13 +00:00 · 2003-02-16 20:10:26 +00:00
649 changed files with 23415 additions and 22349 deletions
--- a/.cvsignore
+++ b/.cvsignore
@@ -1,3 +1,4 @@
 openssl.pc
 Makefile.ssl
 MINFO
 makefile.one
--- a/468
+++ b/468
@@ -2,104 +2,251 @@
 OpenSSL CHANGES
 _______________
- Changes between 0.9.7 and 0.9.8  [xx XXX 2002]
+ Changes between 0.9.7 and 0.9.7a  [19 Feb 2003]
-  *) Change default behaviour of 'openssl asn1parse' so that more
+  *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
-     information is visible when viewing, e.g., a certificate:
+     via timing by performing a MAC computation even if incorrrect
     block cipher padding has been found.  This is a countermeasure
     against active attacks where the attacker has to distinguish
     between bad padding and a MAC verification error. (CAN-2003-0078)
-     Modify asn1_parse2 (crypto/asn1/asn1_par.c) so that in non-'dump'
+     [Bodo Moeller; problem pointed out by Brice Canvel (EPFL),
-     mode the content of non-printable OCTET STRINGs is output in a
+     Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
-     style similar to INTEGERs, but with '[HEX DUMP]' prepended to
+     Martin Vuagnoux (EPFL, Ilion)]
     avoid the appearance of a printable string.
     [Nils Larsch <nla@trustcenter.de>]
-  *) Add 'asn1_flag' and 'asn1_form' member to EC_GROUP with access
+  *) Make the no-err option work as intended.  The intention with no-err
-     functions
+     is not to have the whole error stack handling routines removed from
-          EC_GROUP_set_asn1_flag()
+     libcrypto, it's only intended to remove all the function name and
-          EC_GROUP_get_asn1_flag()
+     reason texts, thereby removing some of the footprint that may not
-          EC_GROUP_set_point_conversion_form()
+     be interesting if those errors aren't displayed anyway.
          EC_GROUP_get_point_conversion_form()
     These control ASN1 encoding details:
     - Curves (i.e., groups) are encoded explicitly unless asn1_flag
       has been set to OPENSSL_EC_NAMED_CURVE.
     - Points are encoded in uncompressed form by default; options for
       asn1_for are as for point2oct, namely
          POINT_CONVERSION_COMPRESSED
          POINT_CONVERSION_UNCOMPRESSED
          POINT_CONVERSION_HYBRID
-     Also add 'seed' and 'seed_len' members to EC_GROUP with access
+     NOTE: it's still possible for any application or module to have it's
-     functions
+     own set of error texts inserted.  The routines are there, just not
-          EC_GROUP_set_seed()
+     used by default when no-err is given.
-          EC_GROUP_get0_seed()
+     [Richard Levitte]
          EC_GROUP_get_seed_len()
     This is used only for ASN1 purposes (so far).
     [Nils Larsch <nla@trustcenter.de>]
-  *) Add 'field_type' member to EC_METHOD, which holds the NID
+  *) Add support for FreeBSD on IA64.
-     of the appropriate field type OID.  The new function
+     [dirk.meyer@dinoex.sub.org via Richard Levitte, resolves #454]
     EC_METHOD_get_field_type() returns this value.
     [Nils Larsch <nla@trustcenter.de>]
-  *) Add functions 
+  *) Adjust DES_cbc_cksum() so it returns the same value as the MIT
-          EC_POINT_point2bn()
+     Kerberos function mit_des_cbc_cksum().  Before this change,
-          EC_POINT_bn2point()
+     the value returned by DES_cbc_cksum() was like the one from
-          EC_POINT_point2hex()
+     mit_des_cbc_cksum(), except the bytes were swapped.
-          EC_POINT_hex2point()
+     [Kevin Greaney <Kevin.Greaney@hp.com> and Richard Levitte]
     providing useful interfaces to EC_POINT_point2oct() and
     EC_POINT_oct2point().
     [Nils Larsch <nla@trustcenter.de>]
-  *) Change internals of the EC library so that the functions
+  *) Allow an application to disable the automatic SSL chain building.
-          EC_GROUP_set_generator()
+     Before this a rather primitive chain build was always performed in
-          EC_GROUP_get_generator()
+     ssl3_output_cert_chain(): an application had no way to send the 
-          EC_GROUP_get_order()
+     correct chain if the automatic operation produced an incorrect result.
          EC_GROUP_get_cofactor()
     are implemented directly in crypto/ec/ec_lib.c and not dispatched
     to methods, which would lead to unnecessary code duplication when
     adding different types of curves.
     [Nils Larsch <nla@trustcenter.de> with input by Bodo Moeller]
-  *) Implement compute_wNAF (crypto/ec/ec_mult.c) without BIGNUM
+     Now the chain builder is disabled if either:
     arithmetic, and such that modified wNAFs are generated
     (which avoid length expansion in many cases).
     [Bodo Moeller]
-  *) Add a function EC_GROUP_check_discriminant() (defined via
+     1. Extra certificates are added via SSL_CTX_add_extra_chain_cert().
     EC_METHOD) that verifies that the curve discriminant is non-zero.
-     Add a function EC_GROUP_check() that makes some sanity tests
+     2. The mode flag SSL_MODE_NO_AUTO_CHAIN is set.
     on a EC_GROUP, its generator and order.  This includes
     EC_GROUP_check_discriminant().
     [Nils Larsch <nla@trustcenter.de>]
-  *) Add ECDSA in new directory crypto/ecdsa/.
+     The reasoning behind this is that an application would not want the
     auto chain building to take place if extra chain certificates are
     present and it might also want a means of sending no additional
     certificates (for example the chain has two certificates and the
     root is omitted).
     [Steve Henson]
-     Add applications 'openssl ecparam' and 'openssl ecdsa'
+  *) Add the possibility to build without the ENGINE framework.
-     (these are based on 'openssl dsaparam' and 'openssl dsa').
+     [Steven Reddie <smr@essemer.com.au> via Richard Levitte]
-     ECDSA support is also included in various other files across the
+  *) Under Win32 gmtime() can return NULL: check return value in
-     library.  Most notably,
+     OPENSSL_gmtime(). Add error code for case where gmtime() fails.
-     - 'openssl req' now has a '-newkey ecdsa:file' option;
+     [Steve Henson]
     - EVP_PKCS82PKEY (crypto/evp/evp_pkey.c) now can handle ECDSA;
     - X509_PUBKEY_get (crypto/asn1/x_pubkey.c) and
       d2i_PublicKey (crypto/asn1/d2i_pu.c) have been modified to make
       them suitable for ECDSA where domain parameters must be
       extracted before the specific public key.
     [Nils Larsch <nla@trustcenter.de>]
-  *) Include some named elliptic curves, and add OIDs from X9.62,
+  *) DSA routines: under certain error conditions uninitialized BN objects
-     SECG, and WAP/WTLS.  The curves can be obtained from the new
+     could be freed. Solution: make sure initialization is performed early
-     functions
+     enough. (Reported and fix supplied by Ivan D Nestlerode <nestler@MIT.EDU>,
-          EC_GROUP_new_by_nid()
+     Nils Larsch <nla@trustcenter.de> via PR#459)
-          EC_GROUP_new_by_name()
+     [Lutz Jaenicke]
     Also add a 'curve_name' member to EC_GROUP objects, which can be
     accessed via
         EC_GROUP_set_nid()
         EC_GROUP_get_nid()
     [Nils Larsch <nla@trustcenter.de, Bodo Moeller]
- Changes between 0.9.6e and 0.9.7  [XX xxx 2002]
+  *) Another fix for SSLv2 session ID handling: the session ID was incorrectly
     checked on reconnect on the client side, therefore session resumption
     could still fail with a "ssl session id is different" error. This
     behaviour is masked when SSL_OP_ALL is used due to
     SSL_OP_MICROSOFT_SESS_ID_BUG being set.
     Behaviour observed by Crispin Flowerday <crispin@flowerday.cx> as
     followup to PR #377.
     [Lutz Jaenicke]
  *) IA-32 assembler support enhancements: unified ELF targets, support
     for SCO/Caldera platforms, fix for Cygwin shared build.
     [Andy Polyakov]
  *) Add support for FreeBSD on sparc64.  As a consequence, support for
     FreeBSD on non-x86 processors is separate from x86 processors on
     the config script, much like the NetBSD support.
     [Richard Levitte & Kris Kennaway <kris@obsecurity.org>]
 Changes between 0.9.6h and 0.9.7  [31 Dec 2002]
  *) Fix session ID handling in SSLv2 client code: the SERVER FINISHED
     code (06) was taken as the first octet of the session ID and the last
     octet was ignored consequently. As a result SSLv2 client side session
     caching could not have worked due to the session ID mismatch between
     client and server.
     Behaviour observed by Crispin Flowerday <crispin@flowerday.cx> as
     PR #377.
     [Lutz Jaenicke]
  *) Change the declaration of needed Kerberos libraries to use EX_LIBS
     instead of the special (and badly supported) LIBKRB5.  LIBKRB5 is
     removed entirely.
     [Richard Levitte]
  *) The hw_ncipher.c engine requires dynamic locks.  Unfortunately, it
     seems that in spite of existing for more than a year, many application
     author have done nothing to provide the necessary callbacks, which
     means that this particular engine will not work properly anywhere.
     This is a very unfortunate situation which forces us, in the name
     of usability, to give the hw_ncipher.c a static lock, which is part
     of libcrypto.
     NOTE: This is for the 0.9.7 series ONLY.  This hack will never
     appear in 0.9.8 or later.  We EXPECT application authors to have
     dealt properly with this when 0.9.8 is released (unless we actually
     make such changes in the libcrypto locking code that changes will
     have to be made anyway).
     [Richard Levitte]
  *) In asn1_d2i_read_bio() repeatedly call BIO_read() until all content
     octets have been read, EOF or an error occurs. Without this change
     some truncated ASN1 structures will not produce an error.
     [Steve Henson]
  *) Disable Heimdal support, since it hasn't been fully implemented.
     Still give the possibility to force the use of Heimdal, but with
     warnings and a request that patches get sent to openssl-dev.
     [Richard Levitte]
  *) Add the VC-CE target, introduce the WINCE sysname, and add
     INSTALL.WCE and appropriate conditionals to make it build.
     [Steven Reddie <smr@essemer.com.au> via Richard Levitte]
  *) Change the DLL names for Cygwin to cygcrypto-x.y.z.dll and
     cygssl-x.y.z.dll, where x, y and z are the major, minor and
     edit numbers of the version.
     [Corinna Vinschen <vinschen@redhat.com> and Richard Levitte]
  *) Introduce safe string copy and catenation functions
     (BUF_strlcpy() and BUF_strlcat()).
     [Ben Laurie (CHATS) and Richard Levitte]
  *) Avoid using fixed-size buffers for one-line DNs.
     [Ben Laurie (CHATS)]
  *) Add BUF_MEM_grow_clean() to avoid information leakage when
     resizing buffers containing secrets, and use where appropriate.
     [Ben Laurie (CHATS)]
  *) Avoid using fixed size buffers for configuration file location.
     [Ben Laurie (CHATS)]
  *) Avoid filename truncation for various CA files.
     [Ben Laurie (CHATS)]
  *) Use sizeof in preference to magic numbers.
     [Ben Laurie (CHATS)]
  *) Avoid filename truncation in cert requests.
     [Ben Laurie (CHATS)]
  *) Add assertions to check for (supposedly impossible) buffer
     overflows.
     [Ben Laurie (CHATS)]
  *) Don't cache truncated DNS entries in the local cache (this could
     potentially lead to a spoofing attack).
     [Ben Laurie (CHATS)]
  *) Fix various buffers to be large enough for hex/decimal
     representations in a platform independent manner.
     [Ben Laurie (CHATS)]
  *) Add CRYPTO_realloc_clean() to avoid information leakage when
     resizing buffers containing secrets, and use where appropriate.
     [Ben Laurie (CHATS)]
  *) Add BIO_indent() to avoid much slightly worrying code to do
     indents.
     [Ben Laurie (CHATS)]
  *) Convert sprintf()/BIO_puts() to BIO_printf().
     [Ben Laurie (CHATS)]
  *) buffer_gets() could terminate with the buffer only half
     full. Fixed.
     [Ben Laurie (CHATS)]
  *) Add assertions to prevent user-supplied crypto functions from
     overflowing internal buffers by having large block sizes, etc.
     [Ben Laurie (CHATS)]
  *) New OPENSSL_assert() macro (similar to assert(), but enabled
     unconditionally).
     [Ben Laurie (CHATS)]
  *) Eliminate unused copy of key in RC4.
     [Ben Laurie (CHATS)]
  *) Eliminate unused and incorrectly sized buffers for IV in pem.h.
     [Ben Laurie (CHATS)]
  *) Fix off-by-one error in EGD path.
     [Ben Laurie (CHATS)]
  *) If RANDFILE path is too long, ignore instead of truncating.
     [Ben Laurie (CHATS)]
  *) Eliminate unused and incorrectly sized X.509 structure
     CBCParameter.
     [Ben Laurie (CHATS)]
  *) Eliminate unused and dangerous function knumber().
     [Ben Laurie (CHATS)]
  *) Eliminate unused and dangerous structure, KSSL_ERR.
     [Ben Laurie (CHATS)]
  *) Protect against overlong session ID context length in an encoded
     session object. Since these are local, this does not appear to be
     exploitable.
     [Ben Laurie (CHATS)]
  *) Change from security patch (see 0.9.6e below) that did not affect
     the 0.9.6 release series:
     Remote buffer overflow in SSL3 protocol - an attacker could
     supply an oversized master key in Kerberos-enabled versions.
     (CAN-2002-0657)
     [Ben Laurie (CHATS)]
  *) Change the SSL kerb5 codes to match RFC 2712.
     [Richard Levitte]
  *) Make -nameopt work fully for req and add -reqopt switch.
     [Michael Bell <michael.bell@rz.hu-berlin.de>, Steve Henson]
  *) The "block size" for block ciphers in CFB and OFB mode should be 1.
     [Steve Henson, reported by Yngve Nysaeter Pettersen <yngve@opera.com>]
  *) Make sure tests can be performed even if the corresponding algorithms
     have been removed entirely.  This was also the last step to make
     OpenSSL compilable with DJGPP under all reasonable conditions.
     [Richard Levitte, Doug Kaufman <dkaufman@rahul.net>]
  *) Add cipher selection rules COMPLEMENTOFALL and COMPLEMENTOFDEFAULT
     to allow version independent disabling of normally unselected ciphers,
     which may be activated as a side-effect of selecting a single cipher.
     (E.g., cipher list string "RSA" enables ciphersuites that are left
     out of "ALL" because they do not provide symmetric encryption.
     "RSA:!COMPLEMEMENTOFALL" avoids these unsafe ciphersuites.)
     [Lutz Jaenicke, Bodo Moeller]
  *) Add appropriate support for separate platform-dependent build
     directories.  The recommended way to make a platform-dependent
@@ -109,9 +256,9 @@
 	# Place yourself outside of the OpenSSL source tree.  In
 	# this example, the environment variable OPENSSL_SOURCE
 	# is assumed to contain the absolute OpenSSL source directory.
-	mkdir -p objtree/`uname -s`-`uname -r`-`uname -m`
+	mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`"
-	cd objtree/`uname -s`-`uname -r`-`uname -m`
+	cd objtree/"`uname -s`-`uname -r`-`uname -m`"
-	(cd $OPENSSL_SOURCE; find . -type f -o -type l) | while read F; do
+	(cd $OPENSSL_SOURCE; find . -type f) | while read F; do
 		mkdir -p `dirname $F`
 		ln -s $OPENSSL_SOURCE/$F $F
 	done
@@ -1611,6 +1758,11 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
     be reduced modulo  m.
     [Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller]
 #if 0
     The following entry accidentily appeared in the CHANGES file
     distributed with OpenSSL 0.9.7.  The modifications described in
     it do *not* apply to OpenSSL 0.9.7.
  *) Remove a few calls to bn_wexpand() in BN_sqr() (the one in there
     was actually never needed) and in BN_mul().  The removal in BN_mul()
     required a small change in bn_mul_part_recursive() and the addition
@@ -1619,6 +1771,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
     bn_sub_words() and bn_add_words() except they take arrays with
     differing sizes.
     [Richard Levitte]
 #endif
  *) In 'openssl passwd', verify passwords read from the terminal
     unless the '-salt' option is used (which usually means that
@@ -1750,7 +1903,113 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
  *) Clean old EAY MD5 hack from e_os.h.
     [Richard Levitte]
- Changes between 0.9.6d and 0.9.6e  [XX xxx XXXX]
+ Changes between 0.9.6h and 0.9.6i  [19 Feb 2003]
  *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
     via timing by performing a MAC computation even if incorrrect
     block cipher padding has been found.  This is a countermeasure
     against active attacks where the attacker has to distinguish
     between bad padding and a MAC verification error. (CAN-2003-0078)
     [Bodo Moeller; problem pointed out by Brice Canvel (EPFL),
     Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
     Martin Vuagnoux (EPFL, Ilion)]
 Changes between 0.9.6g and 0.9.6h  [5 Dec 2002]
  *) New function OPENSSL_cleanse(), which is used to cleanse a section of
     memory from it's contents.  This is done with a counter that will
     place alternating values in each byte.  This can be used to solve
     two issues: 1) the removal of calls to memset() by highly optimizing
     compilers, and 2) cleansing with other values than 0, since those can
     be read through on certain media, for example a swap space on disk.
     [Geoff Thorpe]
  *) Bugfix: client side session caching did not work with external caching,
     because the session->cipher setting was not restored when reloading
     from the external cache. This problem was masked, when
     SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG (part of SSL_OP_ALL) was set.
     (Found by Steve Haslam <steve@araqnid.ddts.net>.)
     [Lutz Jaenicke]
  *) Fix client_certificate (ssl/s2_clnt.c): The permissible total
     length of the REQUEST-CERTIFICATE message is 18 .. 34, not 17 .. 33.
     [Zeev Lieber <zeev-l@yahoo.com>]
  *) Undo an undocumented change introduced in 0.9.6e which caused
     repeated calls to OpenSSL_add_all_ciphers() and 
     OpenSSL_add_all_digests() to be ignored, even after calling
     EVP_cleanup().
     [Richard Levitte]
  *) Change the default configuration reader to deal with last line not
     being properly terminated.
     [Richard Levitte]
  *) Change X509_NAME_cmp() so it applies the special rules on handling
     DN values that are of type PrintableString, as well as RDNs of type
     emailAddress where the value has the type ia5String.
     [stefank@valicert.com via Richard Levitte]
  *) Add a SSL_SESS_CACHE_NO_INTERNAL_STORE flag to take over half
     the job SSL_SESS_CACHE_NO_INTERNAL_LOOKUP was inconsistently
     doing, define a new flag (SSL_SESS_CACHE_NO_INTERNAL) to be
     the bitwise-OR of the two for use by the majority of applications
     wanting this behaviour, and update the docs. The documented
     behaviour and actual behaviour were inconsistent and had been
     changing anyway, so this is more a bug-fix than a behavioural
     change.
     [Geoff Thorpe, diagnosed by Nadav Har'El]
  *) Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c
     (the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes).
     [Bodo Moeller]
  *) Fix initialization code race conditions in
        SSLv23_method(),  SSLv23_client_method(),   SSLv23_server_method(),
        SSLv2_method(),   SSLv2_client_method(),    SSLv2_server_method(),
        SSLv3_method(),   SSLv3_client_method(),    SSLv3_server_method(),
        TLSv1_method(),   TLSv1_client_method(),    TLSv1_server_method(),
        ssl2_get_cipher_by_char(),
        ssl3_get_cipher_by_char().
     [Patrick McCormick <patrick@tellme.com>, Bodo Moeller]
  *) Reorder cleanup sequence in SSL_CTX_free(): only remove the ex_data after
     the cached sessions are flushed, as the remove_cb() might use ex_data
     contents. Bug found by Sam Varshavchik <mrsam@courier-mta.com>
     (see [openssl.org #212]).
     [Geoff Thorpe, Lutz Jaenicke]
  *) Fix typo in OBJ_txt2obj which incorrectly passed the content
     length, instead of the encoding length to d2i_ASN1_OBJECT.
     [Steve Henson]
 Changes between 0.9.6f and 0.9.6g  [9 Aug 2002]
  *) [In 0.9.6g-engine release:]
     Fix crypto/engine/vendor_defns/cswift.h for WIN32 (use '_stdcall').
     [Lynn Gazis <lgazis@rainbow.com>]
 Changes between 0.9.6e and 0.9.6f  [8 Aug 2002]
  *) Fix ASN1 checks. Check for overflow by comparing with LONG_MAX
     and get fix the header length calculation.
     [Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>,
 	Alon Kantor <alonk@checkpoint.com> (and others),
 	Steve Henson]
  *) Use proper error handling instead of 'assertions' in buffer
     overflow checks added in 0.9.6e.  This prevents DoS (the
     assertions could call abort()).
     [Arne Ansper <arne@ats.cyber.ee>, Bodo Moeller]
 Changes between 0.9.6d and 0.9.6e  [30 Jul 2002]
  *) Add various sanity checks to asn1_get_length() to reject
     the ASN1 length bytes if they exceed sizeof(long), will appear
     negative or the content length exceeds the length of the
     supplied buffer.
     [Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>]
  *) Fix cipher selection routines: ciphers without encryption had no flags
     for the cipher strength set and where therefore not handled correctly
@@ -1773,6 +2032,35 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
     applications.
     [Bodo Moeller]
  *) Changes in security patch:
     Changes marked "(CHATS)" were sponsored by the Defense Advanced
     Research Projects Agency (DARPA) and Air Force Research Laboratory,
     Air Force Materiel Command, USAF, under agreement number
     F30602-01-2-0537.
  *) Add various sanity checks to asn1_get_length() to reject
     the ASN1 length bytes if they exceed sizeof(long), will appear
     negative or the content length exceeds the length of the
     supplied buffer. (CAN-2002-0659)
     [Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>]
  *) Assertions for various potential buffer overflows, not known to
     happen in practice.
     [Ben Laurie (CHATS)]
  *) Various temporary buffers to hold ASCII versions of integers were
     too small for 64 bit platforms. (CAN-2002-0655)
     [Matthew Byng-Maddick <mbm@aldigital.co.uk> and Ben Laurie (CHATS)>
  *) Remote buffer overflow in SSL3 protocol - an attacker could
     supply an oversized session ID to a client. (CAN-2002-0656)
     [Ben Laurie (CHATS)]
  *) Remote buffer overflow in SSL2 protocol - an attacker could
     supply an oversized client master key. (CAN-2002-0656)
     [Ben Laurie (CHATS)]
 Changes between 0.9.6c and 0.9.6d  [9 May 2002]
  *) Fix crypto/asn1/a_sign.c so that 'parameters' is omitted (not
@@ -1859,13 +2147,13 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
     value is 0.
     [Richard Levitte]
  *) Add the configuration target linux-s390x.
     [Neale Ferguson <Neale.Ferguson@SoftwareAG-USA.com> via Richard Levitte]
  *) [In 0.9.6d-engine release:]
     Fix a crashbug and a logic bug in hwcrhk_load_pubkey().
     [Toomas Kiisk <vix@cyber.ee> via Richard Levitte]
  *) Add the configuration target linux-s390x.
     [Neale Ferguson <Neale.Ferguson@SoftwareAG-USA.com> via Richard Levitte]
  *) The earlier bugfix for the SSL3_ST_SW_HELLO_REQ_C case of
     ssl3_accept (ssl/s3_srvr.c) incorrectly used a local flag
     variable as an indication that a ClientHello message has been
--- a/211
+++ b/211
@@ -10,7 +10,7 @@ use strict;
 # see INSTALL for instructions.
-my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
+my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-engine] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
 # Options:
 #
@@ -38,6 +38,7 @@ my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-
 # --test-sanity Make a number of sanity checks on the data in this file.
 #               This is a debugging tool for OpenSSL developers.
 #
 # no-engine     do not compile in any engine code.
 # no-hw-xxx     do not compile support for specific crypto hardware.
 #               Generic OpenSSL-style methods relating to this support
 #               are always compiled but return NULL if the hardware
@@ -107,7 +108,6 @@ my $tlib="-lnsl -lsocket";
 my $bits1="THIRTY_TWO_BIT ";
 my $bits2="SIXTY_FOUR_BIT ";
 my $x86_sol_asm="asm/bn86-sol.o asm/co86-sol.o:asm/dx86-sol.o asm/yx86-sol.o:asm/bx86-sol.o:asm/mx86-sol.o:asm/sx86-sol.o:asm/cx86-sol.o:asm/rx86-sol.o:asm/rm86-sol.o:asm/r586-sol.o";
 my $x86_elf_asm="asm/bn86-elf.o asm/co86-elf.o:asm/dx86-elf.o asm/yx86-elf.o:asm/bx86-elf.o:asm/mx86-elf.o:asm/sx86-elf.o:asm/cx86-elf.o:asm/rx86-elf.o:asm/rm86-elf.o:asm/r586-elf.o";
 my $x86_out_asm="asm/bn86-out.o asm/co86-out.o:asm/dx86-out.o asm/yx86-out.o:asm/bx86-out.o:asm/mx86-out.o:asm/sx86-out.o:asm/cx86-out.o:asm/rx86-out.o:asm/rm86-out.o:asm/r586-out.o";
 my $x86_bsdi_asm="asm/bn86bsdi.o asm/co86bsdi.o:asm/dx86bsdi.o asm/yx86bsdi.o:asm/bx86bsdi.o:asm/mx86bsdi.o:asm/sx86bsdi.o:asm/cx86bsdi.o:asm/rx86bsdi.o:asm/rm86bsdi.o:asm/r586bsdi.o";
@@ -120,7 +120,7 @@ my $alpha_asm="::::::::";
 # -DB_ENDIAN slows things down on a sparc for md5, but helps sha1.
 # So the md5_locl.h file has an undef B_ENDIAN if sun is defined
-#config-string	$cc : $cflags : $unistd : $thread_cflag : $sys_id : $lflags : $bn_ops : $bn_obj : $des_obj : $bf_obj : $md5_obj : $sha1_obj : $cast_obj : $rc4_obj : $rmd160_obj : $rc5_obj : $dso_scheme : $shared_target : $shared_cflag : $shared_ldflag : $shared_extension : $ranlib
+#config-string	$cc : $cflags : $unistd : $thread_cflag : $sys_id : $lflags : $bn_ops : $bn_obj : $des_obj : $bf_obj : $md5_obj : $sha1_obj : $cast_obj : $rc4_obj : $rmd160_obj : $rc5_obj : $dso_scheme : $shared_target : $shared_cflag : $shared_ldflag : $shared_extension : $ranlib : $arflags
 my %table=(
 # File 'TABLE' (created by 'make TABLE') contains the data from this list,
@@ -145,8 +145,10 @@ my %table=(
 "debug-ulf",	"gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -g -O2 -m486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT:::${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
 "debug-steve",	"gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -mcpu=i486 -pedantic -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
 "debug-steve-linux-pseudo64",	"gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DOPENSSL_NO_ASM -g -mcpu=i486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:SIXTY_FOUR_BIT::dlfcn",
-"debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wid-clash-31 -Wcast-align -Wconversion -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wid-clash-31 -Wcast-align -Wconversion -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-levitte-linux-elf-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wconversion -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-levitte-linux-noasm-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wconversion -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "dist",		"cc:-O::(unknown)::::::",
 # Basic configs that should work on any (32 and less bit) box
@@ -159,25 +161,25 @@ my %table=(
 # surrounds it with #APP #NO_APP comment pair which (at least Solaris
 # 7_x86) /usr/ccs/bin/as fails to assemble with "Illegal mnemonic"
 # error message.
-"solaris-x86-gcc","gcc:-O3 -fomit-frame-pointer -m486 -Wall -DL_ENDIAN -DOPENSSL_NO_INLINE_ASM::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_sol_asm}:dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris-x86-gcc","gcc:-O3 -fomit-frame-pointer -m486 -Wall -DL_ENDIAN -DOPENSSL_NO_INLINE_ASM::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 #### Solaris x86 with Sun C setups
 "solaris-x86-cc","cc:-fast -O -Xa::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 #### SPARC Solaris with GNU C setups
-"solaris-sparcv7-gcc","gcc:-O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris-sparcv7-gcc","gcc:-O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"solaris-sparcv8-gcc","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris-sparcv8-gcc","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # -m32 should be safe to add as long as driver recognizes -mcpu=ultrasparc
-"solaris-sparcv9-gcc","gcc:-m32 -mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris-sparcv9-gcc","gcc:-m32 -mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"solaris64-sparcv9-gcc31","gcc:-mcpu=ultrasparc -m64 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris64-sparcv9-gcc31","gcc:-mcpu=ultrasparc -m64 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-fPIC:-m64 -shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # gcc pre-2.8 doesn't understand -mcpu=ultrasparc, so fall down to -mv8
 # but keep the assembler modules.
-"solaris-sparcv9-gcc27","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus-gcc27.o:::asm/md5-sparcv8plus-gcc27.o::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris-sparcv9-gcc27","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus-gcc27.o:::asm/md5-sparcv8plus-gcc27.o::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"solaris64-sparcv9-gcc","gcc:-m64 -mcpu=ultrasparc -O3 -Wall -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris64-sparcv9-gcc","gcc:-m64 -mcpu=ultrasparc -O3 -Wall -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-fPIC:-m64 -shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 ####
-"debug-solaris-sparcv8-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mv8 -Wall -DB_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-solaris-sparcv8-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mv8 -Wall -DB_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-solaris-sparcv9-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mcpu=ultrasparc -Wall -DB_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-solaris-sparcv9-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mcpu=ultrasparc -Wall -DB_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 #### SPARC Solaris with Sun C setups
 # DO NOT use /xO[34] on sparc with SC3.0.  It is broken, and will not pass the tests
@@ -201,13 +203,12 @@ my %table=(
 # it's a real mess with -mcpu=ultrasparc option under Linux, but
 # -Wa,-Av8plus should do the trick no matter what.
 "linux-sparcv9","gcc:-mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-# !!!Folowing can't be even tested yet!!!
+# GCC 3.1 is a requirement
-#    We have to wait till 64-bit glibc for SPARC is operational!!!
+"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:ULTRASPARC:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 #"linux64-sparcv9","sparc64-linux-gcc:-m64 -mcpu=v9 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT:ULTRASPARC::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::asm/md5-sparcv9.o:",
 # Sunos configs, assuming sparc for the gcc one.
-##"sunos-cc", "cc:-O4 -DNOPROTO -DNOCONST::(unknown):::DES_UNROLL:::",
+##"sunos-cc", "cc:-O4 -DNOPROTO -DNOCONST::(unknown):SUNOS::DES_UNROLL:::",
-"sunos-gcc","gcc:-O3 -mv8 -Dssize_t=int::(unknown):::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL DES_PTR DES_RISC1:::",
+"sunos-gcc","gcc:-O3 -mv8 -Dssize_t=int::(unknown):SUNOS::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL DES_PTR DES_RISC1:::",
 #### IRIX 5.x configs
 # -mips2 flag is added by ./config when appropriate.
@@ -261,22 +262,21 @@ my %table=(
 "hpux64-parisc-gcc","gcc:-DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dlfcn:hpux64-shared:-fpic::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # IA-64 targets
-# I have no idea if this one actually works, feedback needed. <appro>
+"hpux-ia64-cc","cc:-Ae +DD32 +O3 +Olit=all -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o:::::::::dlfcn:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "hpux-ia64-cc","cc:-Ae +DD32 +O3 +ESlit -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o:::::::::dlfcn:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # Frank Geurts <frank.geurts@nl.abnamro.com> has patiently assisted with
 # with debugging of the following config.
-"hpux64-ia64-cc","cc:-Ae +DD64 +O3 +ESlit -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o:::::::::dlfcn:hpux64-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux64-ia64-cc","cc:-Ae +DD64 +O3 +Olit=all -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o:::::::::dlfcn:hpux64-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # More attempts at unified 10.X and 11.X targets for HP C compiler.
 #
 # Chris Ruemmler <ruemmler@cup.hp.com>
 # Kevin Steves <ks@hp.se>
-"hpux-parisc-cc","cc:+O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::-D_REENTRANT::-Wl,+s -ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux-parisc-cc","cc:+O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::-D_REENTRANT::-Wl,+s -ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"hpux-parisc2-cc","cc:+DA2.0 +DS2.0 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-Wl,+s -ldld:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2.o:::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux-parisc2-cc","cc:+DA2.0 +DS2.0 +O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-Wl,+s -ldld:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2.o:::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"hpux64-parisc2-cc","cc:+DD64 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2W.o:::::::::dlfcn:hpux64-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux64-parisc2-cc","cc:+DD64 +O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2W.o:::::::::dlfcn:hpux64-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # Isn't the line below meaningless? HP-UX cc optimizes for host by default.
 # hpux-parisc1_0-cc with +DAportable flag would make more sense. <appro>
-"hpux-parisc1_1-cc","cc:+DA1.1 +DS1.1 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-Wl,+s -ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux-parisc1_1-cc","cc:+DA1.1 +DS1.1 +O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-Wl,+s -ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # HPUX 9.X config.
 # Don't use the bundled cc.  It is broken.  Use HP ANSI C if possible, or
@@ -383,17 +383,20 @@ my %table=(
 "debug-linux-elf","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT::-lefence -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-linux-elf-noefence","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
 "linux-aout",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
-"linux-mipsel",   "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown):::BN_LLONG:::",
+"linux-mipsel",   "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-mips",   "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown):::BN_LLONG:::",
+"linux-mips",   "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-ppc",    "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-m68k",   "gcc:-DB_ENDIAN -DTERMIO -O2 -fomit-frame-pointer -Wall::-D_REENTRANT:::BN_LLONG::",
-"linux-s390",	"gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:::BN_LLONG::",
+"linux-s390",	"gcc:-DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-s390x", "gcc:-DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG:::::::::::linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-s390x",	"gcc:-DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-ia64",   "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:asm/ia64.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR BF_PTR2 DES_INT DES_UNROLL:asm/x86_64-gcc.o:::::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "NetBSD-sparc",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "NetBSD-m68",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "NetBSD-x86",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "FreeBSD-elf",  "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::-pthread -D_REENTRANT -D_THREAD_SAFE -D_THREADSAFE:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "FreeBSD-sparc64","gcc:-DB_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer::-pthread -D_REENTRANT -D_THREAD_SAFE -D_THREADSAFE:::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2 BF_PTR::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "FreeBSD-ia64","gcc:-DL_ENDIAN -DTERMIOS -O -fomit-frame-pointer::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:asm/ia64-cpp.o:::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "FreeBSD",      "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
 "bsdi-gcc",     "gcc:-O3 -ffast-math -DL_ENDIAN -DPERL5 -m486::(unknown):::RSA_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_bsdi_asm}",
 "bsdi-elf-gcc",     "gcc:-DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown)::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -401,7 +404,7 @@ my %table=(
 "nextstep3.3",	"cc:-O3 -Wall:<libc.h>:(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::",
 # NCR MP-RAS UNIX ver 02.03.01
-"ncr-scde","cc:-O6 -Xa -Hoff=BEHAVED -686 -Hwide -Hiw::(unknown)::-lsocket -lnsl:${x86_gcc_des} ${x86_gcc_opts}:::",
+"ncr-scde","cc:-O6 -Xa -Hoff=BEHAVED -686 -Hwide -Hiw::(unknown)::-lsocket -lnsl -lc89:${x86_gcc_des} ${x86_gcc_opts}:::",
 # QNX 4
 "qnx4",	"cc:-DL_ENDIAN -DTERMIO::(unknown):::${x86_gcc_des} ${x86_gcc_opts}:",
@@ -412,32 +415,36 @@ my %table=(
 # Linux on ARM
 "linux-elf-arm","gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:::BN_LLONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # SCO/Caldera targets.
 #
 # Originally we had like unixware-*, unixware-*-pentium, unixware-*-p6, etc.
 # Now we only have blended unixware-* as it's the only one used by ./config.
 # If you want to optimize for particular microarchitecture, bypass ./config
 # and './Configure unixware-7 -Kpentium_pro' or whatever appropriate.
 # Note that not all targets include assembler support. Mostly because of
 # lack of motivation to support out-of-date platforms with out-of-date
 # compiler drivers and assemblers. Tim Rice <tim@multitalents.net> has
 # patiently assisted to debug most of it.
 #
 # UnixWare 2.0x fails destest with -O
 "unixware-2.0","cc:-DFILIO_H -DNO_STRINGS_H::-Kthread::-lsocket -lnsl -lresolv -lx:${x86_gcc_des} ${x86_gcc_opts}:::",
 "unixware-2.0-pentium","cc:-DFILIO_H -DNO_STRINGS_H -Kpentium::-Kthread::-lsocket -lnsl -lresolv -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
 # UnixWare 2.1
 "unixware-2.1","cc:-O -DFILIO_H::-Kthread::-lsocket -lnsl -lresolv -lx:${x86_gcc_des} ${x86_gcc_opts}:::",
-"unixware-2.1-pentium","cc:-O -DFILIO_H -Kpentium::-Kthread::-lsocket -lnsl -lresolv -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
+"unixware-7","cc:-O -DFILIO_H -Kalloca::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}:${x86_elf_asm}:dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"unixware-2.1-p6","cc:-O -DFILIO_H -Kp6::-Kthread::-lsocket -lnsl -lresolv -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
+"unixware-7-gcc","gcc:-DL_ENDIAN -DFILIO_H -O3 -fomit-frame-pointer -m486 -Wall::-D_REENTRANT::-lsocket -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:gnu-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "OpenUNIX-8","cc:-O -DFILIO_H -Kalloca::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}:${x86_elf_asm}:dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "OpenUNIX-8-gcc","gcc:-O -DFILIO_H -fomit-frame-pointer::-pthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}:${x86_elf_asm}:dlfcn:svr5-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "sco3-gcc",  "gcc:-O3 -fomit-frame-pointer -Dssize_t=int -DNO_SYS_UN_H::(unknown)::-lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::", # the SCO assembler doesn't seem to like our assembler files ...
 # SCO 5 - Ben Laurie <ben@algroup.co.uk> says the -O breaks the SCO cc.
 "sco5-cc",  "cc:-belf::(unknown)::-lsocket -lnsl:${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:svr3-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "sco5-gcc",  "gcc:-O3 -fomit-frame-pointer::(unknown)::-lsocket -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:svr3-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # UnixWare 7
 "unixware-7","cc:-O -DFILIO_H -Kalloca::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::::::::::dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "unixware-7-pentium","cc:-O -DFILIO_H -Kalloca -Kpentium::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::::::::::dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "unixware-7-pentium_pro","cc:-O -DFILIO_H -Kalloca -Kpentium_pro::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::::::::::dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "unixware-7-gcc","gcc:-DL_ENDIAN -DFILIO_H -O3 -fomit-frame-pointer -m486 -Wall::-D_REENTRANT::-lsocket -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:gnu-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # OpenUNIX 8
 "OpenUNIX-8","cc:-O -DFILIO_H -Kalloca::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::::::::::dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "OpenUNIX-8-gcc","gcc:-O -DFILIO_H -fomit-frame-pointer::-pthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::::::::::dlfcn:svr5-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "OpenUNIX-8-pentium","cc:-O -DFILIO_H -Kalloca -Kpentium::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::::::::::dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "OpenUNIX-8-pentium_pro","cc:-O -DFILIO_H -Kalloca -Kpentium_pro::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::::::::::dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # IBM's AIX.
 "aix-cc",   "cc:-O -DB_ENDIAN -qmaxmem=16384::(unknown):AIX::BN_LLONG RC4_CHAR:::",
 "aix-gcc",  "gcc:-O3 -DB_ENDIAN::(unknown):AIX::BN_LLONG RC4_CHAR:::",
-"aix43-cc",   "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384::(unknown):::BN_LLONG RC4_CHAR::::::::::dlfcn:",
+"aix43-cc",   "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384::(unknown):::BN_LLONG RC4_CHAR::::::::::dlfcn:aix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::",
-"aix43-gcc",  "gcc:-O3 -DAIX -DB_ENDIAN::(unknown):::BN_LLONG RC4_CHAR::::::::::dlfcn:",
+"aix43-gcc",  "gcc:-O1 -DAIX -DB_ENDIAN::(unknown):::BN_LLONG RC4_CHAR::::::::::dlfcn:",
 "aix64-cc",   "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384 -q64::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHAR::::::::::dlfcn:aix-shared::-q64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 64",
 #
 # Cray T90 and similar (SDSC)
@@ -470,15 +477,6 @@ my %table=(
 "dgux-R4-gcc",	"gcc:-O3 -fomit-frame-pointer::(unknown)::-lnsl -lsocket:RC4_INDEX DES_UNROLL:::",
 "dgux-R4-x86-gcc",	"gcc:-O3 -fomit-frame-pointer -DL_ENDIAN::(unknown)::-lnsl -lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
 # SCO 3 - Tim Rice <tim@multitalents.net>
 "sco3-gcc",  "gcc:-O3 -fomit-frame-pointer -Dssize_t=int -DNO_SYS_UN_H::(unknown)::-lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::", # the SCO assembler doesn't seem to like our assembler files ...
 # SCO 5 - Ben Laurie <ben@algroup.co.uk> says the -O breaks the
 # SCO cc.
 "sco5-cc",  "cc:-belf::(unknown)::-lsocket -lresolv -lnsl:${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:svr3-shared:-Kpic", # des options?
 "sco5-cc-pentium",  "cc:-Kpentium::(unknown)::-lsocket:${x86_gcc_des} ${x86_gcc_opts}:::", # des options?
 "sco5-gcc",  "gcc:-O3 -fomit-frame-pointer::(unknown)::-lsocket -lresolv -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:svr3-shared:-fPIC", # the SCO assembler doesn't seem to like our assembler files ...
 # Sinix/ReliantUNIX RM400
 # NOTE: The CDS++ Compiler up to V2.0Bsomething has the IRIX_CC_BUG optimizer problem. Better use -g  */
 "ReliantUNIX","cc:-KPIC -g -DTERMIOS -DB_ENDIAN::-Kthread:SNI:-lsocket -lnsl -lc -L/usr/ucblib -lucb:BN_LLONG DES_PTR DES_RISC2 DES_UNROLL BF_PTR::::::::::dlfcn:reliantunix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -497,6 +495,7 @@ my %table=(
 # Windows NT, Microsoft Visual C++ 4.0
 "VC-NT","cl::::WINNT::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}::::::::::win32",
 "VC-CE","cl::::WINCE::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}::::::::::win32",
 "VC-WIN32","cl::::WIN32::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}::::::::::win32",
 "VC-WIN16","cl:::(unknown):WIN16::MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX THIRTY_TWO_BIT:::",
 "VC-W31-16","cl:::(unknown):WIN16::BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX SIXTEEN_BIT:::",
@@ -504,7 +503,7 @@ my %table=(
 "VC-MSDOS","cl:::(unknown):MSDOS::BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX SIXTEEN_BIT:::",
 # Borland C++ 4.5
-"BC-32","bcc32::::WIN32::BN_LLONG DES_PTR RC4_INDEX::::::::::win32",
+"BC-32","bcc32::::WIN32::BN_LLONG DES_PTR RC4_INDEX EXPORT_VAR_AS_FN::::::::::win32",
 "BC-16","bcc:::(unknown):WIN16::BN_LLONG DES_PTR RC4_INDEX SIXTEEN_BIT:::",
 # Mingw32
@@ -517,13 +516,13 @@ my %table=(
 # Cygwin
 "Cygwin-pre1.3", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown):CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32",
-"Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall:::CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:win32:cygwin-shared:::.dll",
+"Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall:::CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:win32:cygwin-shared:::.dll",
 # DJGPP
-"DJGPP", "gcc:-I/dev/env/DJDIR/watt32/inc -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -Wall:::MSDOS:-L/dev/env/DJDIR/watt32/lib -lwatt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::",
+"DJGPP", "gcc:-I/dev/env/WATT_ROOT/inc -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -Wall:::MSDOS:-L/dev/env/WATT_ROOT/lib -lwatt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::",
 # Ultrix from Bernhard Simon <simon@zid.tuwien.ac.at>
-"ultrix-cc","cc:-std1 -O -Olimit 1000 -DL_ENDIAN::(unknown):::::::",
+"ultrix-cc","cc:-std1 -O -Olimit 2500 -DL_ENDIAN::(unknown):::::::",
 "ultrix-gcc","gcc:-O3 -DL_ENDIAN::(unknown):::::::",
 # K&R C is no longer supported; you need gcc on old Ultrix installations
 ##"ultrix","cc:-O2 -DNOPROTO -DNOCONST -DL_ENDIAN::(unknown):::::::",
@@ -542,10 +541,13 @@ my %table=(
 "OpenBSD-hppa",		"gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 ##### MacOS X (a.k.a. Rhapsody or Darwin) setup
-"rhapsody-ppc-cc","cc:-O3 -DB_ENDIAN::(unknown):MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::",
+"rhapsody-ppc-cc","cc:-O3 -DB_ENDIAN::(unknown):MACOSX_RHAPSODY::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::",
 "darwin-ppc-cc","cc:-O3 -fomit-frame-pointer -fno-common -DB_ENDIAN::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::::::::::darwin-shared:-fPIC::.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 "darwin-i386-cc","cc:-O3 -fomit-frame-pointer -fno-common -DB_ENDIAN::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::::::::::darwin-shared:-fPIC::.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 ##### A/UX
 "aux3-gcc","gcc:-O2 -DTERMIO::(unknown):AUX:-lbsd:RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::",
 ##### Sony NEWS-OS 4.x
 "newsos4-gcc","gcc:-O -DB_ENDIAN::(unknown):NEWS4:-lmld -liberty:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::",
@@ -557,11 +559,16 @@ my %table=(
 ##### VxWorks for various targets
 "vxworks-ppc405","ccppc:-g -msoft-float -mlongcall -DCPU=PPC405 -I\$(WIND_BASE)/target/h:::VXWORKS:-r:::::",
 "vxworks-ppc750","ccppc:-ansi -nostdinc -DPPC750 -D_REENTRANT -fvolatile -fno-builtin -fno-for-scope -fsigned-char -Wall -msoft-float -mlongcall -DCPU=PPC604 -I\$(WIND_BASE)/target/h \$(DEBUG_FLAG):::VXWORKS:-r:::::",
 "vxworks-ppc750-debug","ccppc:-ansi -nostdinc -DPPC750 -D_REENTRANT -fvolatile -fno-builtin -fno-for-scope -fsigned-char -Wall -msoft-float -mlongcall -DCPU=PPC604 -I\$(WIND_BASE)/target/h -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DDEBUG -g:::VXWORKS:-r:::::",
 ##### Compaq Non-Stop Kernel (Tandem)
 "tandem-c89","c89:-Ww -D__TANDEM -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 -D_TANDEM_SOURCE -DB_ENDIAN::(unknown):::THIRTY_TWO_BIT:::",
 );
-my @WinTargets=qw(VC-NT VC-WIN32 VC-WIN16 VC-W31-16 VC-W31-32 VC-MSDOS BC-32
+my @WinTargets=qw(VC-NT VC-CE VC-WIN32 VC-WIN16 VC-W31-16 VC-W31-32 VC-MSDOS
-	BC-16 Mingw32 OS2-EMX);
+	BC-32 BC-16 Mingw32 OS2-EMX);
 my $idx = 0;
 my $idx_cc = $idx++;
@@ -586,6 +593,7 @@ my $idx_shared_cflag = $idx++;
 my $idx_shared_ldflag = $idx++;
 my $idx_shared_extension = $idx++;
 my $idx_ranlib = $idx++;
 my $idx_arflags = $idx++;
 my $prefix="";
 my $openssldir="";
@@ -643,6 +651,7 @@ my $openssl_thread_defines;
 my $openssl_sys_defines="";
 my $openssl_other_defines;
 my $libs;
 my $libkrb5="";
 my $target;
 my $options;
 my $symlink;
@@ -683,6 +692,11 @@ PROCESS_ARGS:
 			$flags .= "-DOPENSSL_NO_ASM ";
 			$openssl_other_defines .= "#define OPENSSL_NO_ASM\n";
 			}
 		elsif (/^no-err$/)
 		 	{
 			$flags .= "-DOPENSSL_NO_ERR ";
 			$openssl_other_defines .= "#define OPENSSL_NO_ERR\n";
 			}
 		elsif (/^no-hw-(.+)$/)
 			{
 			my $hw=$1;
@@ -705,7 +719,7 @@ PROCESS_ARGS:
 			{ $threads=1; }
 		elsif (/^no-shared$/)
 			{ $no_shared=1; }
-		elsif (/^shared$/)
+		elsif (/^shared$/ || /^-shared$/ || /^--shared$/)
 			{ $no_shared=0; }
 		elsif (/^no-zlib$/)
 			{ $zlib=0; }
@@ -733,6 +747,7 @@ PROCESS_ARGS:
 			$openssl_algorithm_defines .= "#define OPENSSL_NO_$algo\n";
 			if ($algo eq "RIJNDAEL")
 				{
 				push @skip, "aes";
 				$flags .= "-DOPENSSL_NO_AES ";
 				$depflags .= "-DOPENSSL_NO_AES ";
 				$openssl_algorithm_defines .= "#define OPENSSL_NO_AES\n";
@@ -745,14 +760,6 @@ PROCESS_ARGS:
 				$depflags .= "-DOPENSSL_NO_MDC2 ";
 				$openssl_algorithm_defines .= "#define OPENSSL_NO_MDC2\n";
 				}
 			if ($algo eq "EC" || $algo eq "SHA" || $algo eq "SHA1")
 				{
 				push @skip, "ecdsa";
 				$options .= " no-ecdsa";
 				$flags .= "-DOPENSSL_NO_ECDSA ";
 				$depflags .= "-DOPENSSL_NO_ECDSA ";
 				$openssl_algorithm_defines .= "#define OPENSSL_NO_ECDSA\n";
 				}
 			if ($algo eq "MD5")
 				{
 				$no_md5 = 1;
@@ -948,6 +955,9 @@ my $shared_cflag = $fields[$idx_shared_cflag];
 my $shared_ldflag = $fields[$idx_shared_ldflag];
 my $shared_extension = $fields[$idx_shared_extension];
 my $ranlib = $fields[$idx_ranlib];
 my $arflags = $fields[$idx_arflags];
 my $no_shared_warn=0;
 $cflags="$flags$cflags" if ($flags ne "");
@@ -966,6 +976,17 @@ else
 	my ($lresolv, $lpath, $lext);
 	if ($withargs{"krb5-flavor"} =~ /^[Hh]eimdal$/)
 		{
 		die "Sorry, Heimdal is currently not supported\n";
 		}
 	##### HACK to force use of Heimdal.
 	##### WARNING: Since we don't really have adequate support for Heimdal,
 	#####          using this will break the build.  You'll have to make
 	#####          changes to the source, and if you do, please send
 	#####          patches to openssl-dev@openssl.org
 	if ($withargs{"krb5-flavor"} =~ /^force-[Hh]eimdal$/)
 		{
 		warn "Heimdal isn't really supported.  Your build WILL break\n";
 		warn "If you fix the problems, please send a patch to openssl-dev\@openssl.org\n";
 		$withargs{"krb5-dir"} = "/usr/heimdal"
 			if $withargs{"krb5-dir"} eq "";
 		$withargs{"krb5-lib"} = "-L".$withargs{"krb5-dir"}.
@@ -998,7 +1019,7 @@ else
 			}
 		}
 	$withargs{"krb5-lib"} .= " -lresolv"
-		if ("$lresolv");
+		if ("$lresolv" ne "");
 	$withargs{"krb5-include"} = "-I".$withargs{"krb5-dir"}."/include"
 		if $withargs{"krb5-include"} eq "" &&
 		   $withargs{"krb5-dir"} ne "";
@@ -1065,6 +1086,11 @@ if ($no_asm)
 	$sha1_obj=$md5_obj=$rmd160_obj="";
 	}
 if (!$no_shared)
 	{
 	$cast_obj="";	# CAST assembler is not PIC
 	}
 if ($threads)
 	{
 	$cflags=$thread_cflags;
@@ -1075,25 +1101,22 @@ if ($zlib)
 	{
 	$cflags = "-DZLIB $cflags";
 	$cflags = "-DZLIB_SHARED $cflags" if $zlib == 2;
-	$lflags = "$lflags -lz" if $zlib == 2;
+	$lflags = "$lflags -lz" if $zlib == 1;
 	}
 # You will find shlib_mark1 and shlib_mark2 explained in Makefile.org
 my $shared_mark = "";
-if ($shared_target ne "")
+if ($shared_target eq "")
 	{
 	$no_shared_warn = 1 if !$no_shared;
 	$no_shared = 1;
 	}
 if (!$no_shared)
 	{
 	if ($shared_cflag ne "")
 		{
 		$cflags = "$shared_cflag $cflags";
 		}
 	if (!$no_shared)
 		{
 		#$shared_mark = "\$(SHARED_LIBS)";
 		}
 	}
 else
 	{
 	$no_shared = 1;
 	}
 if ($sys_id ne "")
@@ -1216,6 +1239,7 @@ while (<IN>)
 	s/^RMD160_ASM_OBJ=.*$/RMD160_ASM_OBJ= $rmd160_obj/;
 	s/^PROCESSOR=.*/PROCESSOR= $processor/;
 	s/^RANLIB=.*/RANLIB= $ranlib/;
 	s/^ARFLAGS=.*/ARFLAGS= $arflags/;
 	s/^PERL=.*/PERL= $perl/;
 	s/^KRB5_INCLUDES=.*/KRB5_INCLUDES=$withargs{"krb5-include"}/;
 	s/^LIBKRB5=.*/LIBKRB5=$withargs{"krb5-lib"}/;
@@ -1262,11 +1286,10 @@ print "SHA1_OBJ_ASM  =$sha1_obj\n";
 print "RMD160_OBJ_ASM=$rmd160_obj\n";
 print "PROCESSOR     =$processor\n";
 print "RANLIB        =$ranlib\n";
 print "ARFLAGS       =$arflags\n";
 print "PERL          =$perl\n";
 print "KRB5_INCLUDES =",$withargs{"krb5-include"},"\n"
 	if $withargs{"krb5-include"} ne "";
 print "LIBKRB5       =",$withargs{"krb5-lib"},"\n"
 	if $withargs{"krb5-lib"} ne "";
 my $des_ptr=0;
 my $des_risc1=0;
@@ -1457,6 +1480,7 @@ EOF
 	my $make_targets = "";
 	$make_targets .= " links" if $symlink;
 	$make_targets .= " depend" if $depflags ne "" && $make_depend;
 	$make_targets .= " gentests" if $symlink;
 	(system $make_command.$make_targets) == 0 or exit $?
 		if $make_targets ne "";
 	if ( $perl =~ m@^/@) {
@@ -1492,6 +1516,16 @@ applications as the compiler options required on this system are not known.
 See file INSTALL for details if you need multi-threading.
 EOF
 print <<\EOF if ($no_shared_warn);
 You gave the option 'shared'.  Normally, that would give you shared libraries.
 Unfortunately, the OpenSSL configuration doesn't include shared library support
 for this platform yet, so it will pretend you gave the option 'no-shared'.  If
 you can inform the developpers (openssl-dev\@openssl.org) how to support shared
 libraries on this platform, they will at least look at it and try their best
 (but please first make sure you have tried with a current version of OpenSSL).
 EOF
 exit(0);
 sub usage
@@ -1568,7 +1602,7 @@ sub print_table_entry
 	my $bn_ops,my $bn_obj,my $des_obj,my $bf_obj,
 	my $md5_obj,my $sha1_obj,my $cast_obj,my $rc4_obj,my $rmd160_obj,
 	my $rc5_obj,my $dso_scheme,my $shared_target,my $shared_cflag,
-	my $shared_ldflag,my $shared_extension,my $ranlib)=
+	my $shared_ldflag,my $shared_extension,my $ranlib,my $arflags)=
 	split(/\s*:\s*/,$table{$target} . ":" x 30 , -1);
 	print <<EOF
@@ -1596,6 +1630,7 @@ sub print_table_entry
 \$shared_ldflag = $shared_ldflag
 \$shared_extension = $shared_extension
 \$ranlib       = $ranlib
 \$arflags      = $arflags
 EOF
 	}
--- a/116
+++ b/116
@@ -9,6 +9,7 @@ OpenSSL  -  Frequently Asked Questions
 * Where can I get a compiled version of OpenSSL?
 * Why aren't tools like 'autoconf' and 'libtool' used?
 * What is an 'engine' version?
 * How do I check the authenticity of the OpenSSL distribution?
 [LEGAL] Legal questions
@@ -36,12 +37,15 @@ OpenSSL  -  Frequently Asked Questions
 * Why does the linker complain about undefined symbols?
 * Why does the OpenSSL test fail with "bc: command not found"?
 * Why does the OpenSSL test fail with "bc: 1 no implemented"?
 * Why does the OpenSSL test fail with "bc: stack empty"?
 * Why does the OpenSSL compilation fail on Alpha Tru64 Unix?
 * Why does the OpenSSL compilation fail with "ar: command not found"?
 * Why does the OpenSSL compilation fail on Win32 with VC++?
 * What is special about OpenSSL on Redhat?
 * Why does the OpenSSL compilation fail on MacOS X?
 * Why does the OpenSSL test suite fail on MacOS X?
 * Why does the OpenSSL test suite fail in BN_sqr test [on a 64-bit platform]?
 * Why does OpenBSD-i386 build fail on des-586.s with "Unimplemented segment type"?
 [PROG] Questions about programming with OpenSSL
@@ -64,7 +68,7 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?
 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.6d was released on May 9, 2002.
+OpenSSL 0.9.7a was released on February 19, 2003.
 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:
@@ -135,6 +139,19 @@ hardware. This was realized in a special release '0.9.6-engine'. With
 version 0.9.7 (not yet released) the changes were merged into the main
 development line, so that the special release is no longer necessary.
 * How do I check the authenticity of the OpenSSL distribution?
 We provide MD5 digests and ASC signatures of each tarball.
 Use MD5 to check that a tarball from a mirror site is identical:
   md5sum TARBALL | awk '{print $1;}' | cmp - TARBALL.md5
 You can check authenticity using pgp or gpg. You need the OpenSSL team
 member public key used to sign it (download it from a key server). Then
 just do:
   pgp TARBALL.asc
 [LEGAL] =======================================================================
 * Do I need patent licenses to use OpenSSL?
@@ -172,18 +189,30 @@ for permission to use their software with OpenSSL.
 Cryptographic software needs a source of unpredictable data to work
 correctly.  Many open source operating systems provide a "randomness
-device" that serves this purpose.  On other systems, applications have
+device" (/dev/urandom or /dev/random) that serves this purpose.
-to call the RAND_add() or RAND_seed() function with appropriate data
+All OpenSSL versions try to use /dev/urandom by default; starting with
-before generating keys or performing public key encryption.
+version 0.9.7, OpenSSL also tries /dev/random if /dev/urandom is not
-(These functions initialize the pseudo-random number generator, PRNG.)
+available.
-Some broken applications do not do this.  As of version 0.9.5, the
+On other systems, applications have to call the RAND_add() or
-OpenSSL functions that need randomness report an error if the random
+RAND_seed() function with appropriate data before generating keys or
-number generator has not been seeded with at least 128 bits of
+performing public key encryption. (These functions initialize the
-randomness.  If this error occurs, please contact the author of the
+pseudo-random number generator, PRNG.)  Some broken applications do
-application you are using.  It is likely that it never worked
+not do this.  As of version 0.9.5, the OpenSSL functions that need
-correctly.  OpenSSL 0.9.5 and later make the error visible by refusing
+randomness report an error if the random number generator has not been
-to perform potentially insecure encryption.
+seeded with at least 128 bits of randomness.  If this error occurs and
 is not discussed in the documentation of the application you are
 using, please contact the author of that application; it is likely
 that it never worked correctly.  OpenSSL 0.9.5 and later make the
 error visible by refusing to perform potentially insecure encryption.
 If you are using Solaris 8, you can add /dev/urandom and /dev/random
 devices by installing patch 112438 (Sparc) or 112439 (x86), which are
 available via the Patchfinder at <URL: http://sunsolve.sun.com>
 (Solaris 9 includes these devices by default). For /dev/random support
 for earlier Solaris versions, see Sun's statement at
 <URL: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsrdb/27606&zone_32=SUNWski>
 (the SUNWski package is available in patch 105710).
 On systems without /dev/urandom and /dev/random, it is a good idea to
 use the Entropy Gathering Demon (EGD); see the RAND_egd() manpage for
@@ -216,16 +245,6 @@ OpenSSL command line tools. Applications using the OpenSSL library
 provide their own configuration options to specify the entropy source,
 please check out the documentation coming the with application.
 For Solaris 2.6, Tim Nibbe <tnibbe@sprint.net> and others have suggested
 installing the SUNski package from Sun patch 105710-01 (Sparc) which
 adds a /dev/random device and make sure it gets used, usually through
 $RANDFILE.  There are probably similar patches for the other Solaris
 versions.  An official statement from Sun with respect to /dev/random
 support can be found at
  http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsrdb/27606&zone_32=SUNWski
 However, be warned that /dev/random is usually a blocking device, which
 may have some effects on OpenSSL.
 * Why do I get an "unable to write 'random state'" error message?
@@ -402,6 +421,17 @@ and compile/install it.  GNU bc (see http://www.gnu.org/software/software.html
 for download instructions) can be safely used, for example.
 * Why does the OpenSSL test fail with "bc: stack empty"?
 On some DG/ux versions, bc seems to have a too small stack for calculations
 that the OpenSSL bntest throws at it.  This gets triggered when you run the
 test suite (using "make test").  The message returned is "bc: stack empty".
 The best way to deal with this is to find another implementation of bc
 and compile/install it.  GNU bc (see http://www.gnu.org/software/software.html
 for download instructions) can be safely used, for example.
 * Why does the OpenSSL compilation fail on Alpha Tru64 Unix?
 On some Alpha installations running Tru64 Unix and Compaq C, the compilation
@@ -460,10 +490,13 @@ and then redo the compilation.  What you should really do is make sure
 Sometimes, you may get reports from VC++ command line (cl) that it
 can't find standard include files like stdio.h and other weirdnesses.
 One possible cause is that the environment isn't correctly set up.
-To solve that problem, one should run VCVARS32.BAT which is found in
+To solve that problem for VC++ versions up to 6, one should run
-the 'bin' subdirectory of the VC++ installation directory (somewhere
+VCVARS32.BAT which is found in the 'bin' subdirectory of the VC++
-under 'Program Files').  This needs to be done prior to running NMAKE,
+installation directory (somewhere under 'Program Files').  For VC++
-and the changes are only valid for the current DOS session.
+version 7 (and up?), which is also called VS.NET, the file is called
 VSVARS32.BAT instead.
 This needs to be done prior to running NMAKE, and the changes are only
 valid for the current DOS session.
 * What is special about OpenSSL on Redhat?
@@ -524,6 +557,37 @@ libraries you just built.
 Look in the file PROBLEMS for a more detailed explanation and for possible
 solutions.
 * Why does the OpenSSL test suite fail in BN_sqr test [on a 64-bit platform]?
 Failure in BN_sqr test is most likely caused by a failure to configure the
 toolkit for current platform or lack of support for the platform in question.
 Run './config -t' and './apps/openssl version -p'. Do these platform
 identifiers match? If they don't, then you most likely failed to run
 ./config and you're hereby advised to do so before filing a bug report.
 If ./config itself fails to run, then it's most likely problem with your
 local environment and you should turn to your system administrator (or
 similar). If identifiers match (and/or no alternative identifier is
 suggested by ./config script), then the platform is unsupported. There might
 or might not be a workaround. Most notably on SPARC64 platforms with GNU
 C compiler you should be able to produce a working build by running
 './config -m32'. I understand that -m32 might not be what you want/need,
 but the build should be operational. For further details turn to
 <openssl-dev@openssl.org>.
 * Why does OpenBSD-i386 build fail on des-586.s with "Unimplemented segment type"?
 As of 0.9.7 assembler routines were overhauled for position independence
 of the machine code, which is essential for shared library support. For
 some reason OpenBSD is equipped with an out-of-date GNU assembler which
 finds the new code offensive. To work around the problem, configure with
 no-asm (and sacrifice a great deal of performance) or patch your assembler
 according to <URL: http://www.openssl.org/~appro/gas-1.92.3.OpenBSD.patch>.
 For your convenience a pre-compiled replacement binary is provided at
 <URL: http://www.openssl.org/~appro/gas-1.92.3.static.aout.bin>.
 Reportedly elder *BSD a.out platforms also suffer from this problem and
 remedy should be same. Provided binary is statically linked and should be
 working across wider range of *BSD branches, not just OpenBSD.
 [PROG] ========================================================================
 * Is OpenSSL thread-safe?
--- a/42
+++ b/42
@@ -140,8 +140,8 @@
     standard headers).  If it is a problem with OpenSSL itself, please
     report the problem to <openssl-bugs@openssl.org> (note that your
     message will be recorded in the request tracker publicly readable
-     via http://www.openssl.org/rt2.html and will be forwarded to a public
+     via http://www.openssl.org/support/rt2.html and will be forwarded to a
-     mailing list). Include the output of "make report" in your message.
+     public mailing list). Include the output of "make report" in your message.
     Please check out the request tracker. Maybe the bug was already
     reported or has already been fixed.
@@ -158,11 +158,11 @@
     If a test fails, look at the output.  There may be reasons for
     the failure that isn't a problem in OpenSSL itself (like a missing
     or malfunctioning bc).  If it is a problem with OpenSSL itself,
-     try removing any compiler optimization flags from the CFLAGS line
+     try removing any compiler optimization flags from the CFLAG line
     in Makefile.ssl and run "make clean; make". Please send a bug
     report to <openssl-bugs@openssl.org>, including the output of
     "make report" in order to be added to the request tracker at
-     http://www.openssl.org/rt2.html.
+     http://www.openssl.org/support/rt2.html.
  4. If everything tests ok, install OpenSSL with
@@ -296,3 +296,37 @@
 targets for shared library creation, like linux-shared.  Those targets
 can currently be used on their own just as well, but this is expected
 to change in future versions of OpenSSL.
 Note on random number generation
 --------------------------------
 Availability of cryptographically secure random numbers is required for
 secret key generation. OpenSSL provides several options to seed the
 internal PRNG. If not properly seeded, the internal PRNG will refuse
 to deliver random bytes and a "PRNG not seeded error" will occur.
 On systems without /dev/urandom (or similar) device, it may be necessary
 to install additional support software to obtain random seed.
 Please check out the manual pages for RAND_add(), RAND_bytes(), RAND_egd(),
 and the FAQ for more information.
 Note on support for multiple builds
 -----------------------------------
 OpenSSL is usually built in it's source tree.  Unfortunately, this doesn't
 support building for multiple platforms from the same source tree very well.
 It is however possible to build in a separate tree through the use of lots
 of symbolic links, which should be prepared like this:
 	mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`"
 	cd objtree/"`uname -s`-`uname -r`-`uname -m`"
 	(cd $OPENSSL_SOURCE; find . -type f) | while read F; do
 		mkdir -p `dirname $F`
 		rm -f $F; ln -s $OPENSSL_SOURCE/$F $F
 		echo $F '->' $OPENSSL_SOURCE/$F
 	done
 	make -f Makefile.org clean
 OPENSSL_SOURCE is an environment variable that contains the absolute (this
 is important!) path to the OpenSSL source tree.
 Also, operations like 'make update' should still be made in the source tree.
--- a/INSTALL.DJGPP
+++ b/INSTALL.DJGPP
@@ -12,12 +12,14 @@
 latest versions of DJGPP, GCC, BINUTILS, BASH, etc. This package
 requires that PERL and BC also be installed.
- All of these can be obtained from the usual DJGPP mirror sites, such as
+ All of these can be obtained from the usual DJGPP mirror sites, such
- "ftp://ftp.simtel.net/pub/simtelnet/gnu/djgpp". You also need to have
+ as "ftp://ftp.simtel.net/pub/simtelnet/gnu/djgpp". You also need to
- the WATT-32 networking package installed before you try to compile
+ have the WATT-32 networking package installed before you try to compile
- openssl. This can be obtained from "http://www.bgnett.no/~giva/". The
+ openssl. This can be obtained from "http://www.bgnett.no/~giva/".
- Makefile assumes that the WATT-32 code is in directory "watt32" under
+ The Makefile assumes that the WATT-32 code is in the directory
- /dev/env/DJDIR.
+ specified by the environment variable WATT_ROOT. If you have watt-32
 in directory "watt32" under your main DJGPP directory, specify
 WATT_ROOT="/dev/env/DJDIR/watt32".
 To compile openssl, start your BASH shell. Then configure for DOS by
 running "./Configure" with appropriate arguments. The basic syntax for
--- a/INSTALL.W32
+++ b/INSTALL.W32
@@ -2,6 +2,8 @@
 INSTALLATION ON THE WIN32 PLATFORM
 ----------------------------------
 [Instructions for building for Windows CE can be found in INSTALL.WCE]
 Heres a few comments about building OpenSSL in Windows environments.  Most
 of this is tested on Win32 but it may also work in Win 3.1 with some
 modification.
@@ -24,12 +26,13 @@
  * Microsoft MASM (aka "ml")
  * Free Netwide Assembler NASM.
- MASM was at one point distributed with VC++. It is now distributed with some
+ MASM is distributed with most versions of VC++. For the versions where it is
- Microsoft DDKs, for example the Windows NT 4.0 DDK and the Windows 98 DDK. If
+ not included in VC++, it is also distributed with some Microsoft DDKs, for
- you do not have either of these DDKs then you can just download the binaries
+ example the Windows NT 4.0 DDK and the Windows 98 DDK. If you do not have
- for the Windows 98 DDK and extract and rename the two files XXXXXml.exe and
+ either of these DDKs then you can just download the binaries for the Windows
- XXXXXml.err, to ml.exe and ml.err and install somewhere on your PATH. Both
+ 98 DDK and extract and rename the two files XXXXXml.exe and XXXXXml.err, to
- DDKs can be downloaded from the Microsoft developers site www.msdn.com.
+ ml.exe and ml.err and install somewhere on your PATH. Both DDKs can be
 downloaded from the Microsoft developers site www.msdn.com.
 NASM is freely available. Version 0.98 was used during testing: other versions
 may also work. It is available from many places, see for example:
@@ -82,7 +85,8 @@
 There are various changes you can make to the Win32 compile environment. By
 default the library is not compiled with debugging symbols. If you add 'debug'
 to the mk1mf.pl lines in the do_* batch file then debugging symbols will be
- compiled in.
+ compiled in. Note that mk1mf.pl expects the platform to be the last argument
 on the command line, so 'debug' must appear before that, as all other options.
 The default Win32 environment is to leave out any Windows NT specific
 features.
--- a/INSTALL.WCE
+++ b/INSTALL.WCE
@@ -0,0 +1,71 @@
 INSTALLATION FOR THE WINDOWS CE PLATFORM
 ----------------------------------------
 Building OpenSSL for Windows CE requires the following external tools:
  * Microsoft eMbedded Visual C++ 3.0
  * wcecompat compatibility library (www.essemer.com.au)
  * Optionally ceutils for running automated tests (www.essemer.com.au)
 You also need Perl for Win32.  You will need ActiveState Perl, available
 from http://www.activestate.com/ActivePerl.
 Windows CE support in OpenSSL relies on wcecompat.  All Windows CE specific
 issues should be directed to www.essemer.com.au.
 The C Runtime Library implementation for Windows CE that is included with
 Microsoft eMbedded Visual C++ 3.0 is incomplete and in some places
 incorrect.  wcecompat plugs the holes and tries to bring the Windows CE
 CRT to a level that is more compatible with ANSI C.  wcecompat goes further
 and provides low-level IO and stream IO support for stdin/stdout/stderr
 (which Windows CE does not provide).  This IO functionality is not needed
 by the OpenSSL library itself but is used for the tests and openssl.exe.
 More information is available at www.essemer.com.au.
 Building
 --------
 Setup the eMbedded Visual C++ environment.  There are batch files for doing
 this installed with eVC++.  For an ARM processor, for example, execute:
 > "C:\Program Files\Microsoft eMbedded Tools\EVC\WCE300\BIN\WCEARM.BAT"
 Next indicate where wcecompat is located:
 > set WCECOMPAT=C:\wcecompat
 Next you should run Configure:
 > perl Configure VC-CE
 Next you need to build the Makefiles:
 > ms\do_ms
 If you get errors about things not having numbers assigned then check the
 troubleshooting section in INSTALL.W32: you probably won't be able to compile
 it as it stands.
 Then from the VC++ environment at a prompt do:
 - to build static libraries:
   > nmake -f ms\ce.mak
 - or to build DLLs:
   > nmake -f ms\cedll.mak
 If all is well it should compile and you will have some static libraries and
 executables in out32, or some DLLs and executables in out32dll.  If you want
 to try the tests then make sure the ceutils are in the path and do:
 > cd out32
 > ..\ms\testce
 This will copy each of the test programs to the Windows CE device and execute
 them, displaying the output of the tests on this computer.  The output should
 look similar to the output produced by running the tests for a regular Windows
 build.
--- a/MacOS/GetHTTPS.src/MacSocket.cpp
+++ b/MacOS/GetHTTPS.src/MacSocket.cpp
@@ -1287,7 +1287,7 @@ EXITPOINT:
 //	Send some bytes
-int MacSocket_send(const int inSocketNum,void *inBuff,int inBuffLength)
+int MacSocket_send(const int inSocketNum,const void *inBuff,int inBuffLength)
 {
 OSErr			errCode = noErr;
 int				bytesSent = 0;
--- a/MacOS/GetHTTPS.src/MacSocket.h
+++ b/MacOS/GetHTTPS.src/MacSocket.h
@@ -62,7 +62,7 @@ int MacSocket_recv(const int inSocketNum,void *outBuff,int outBuffLength,const B
 //	Call this to send data on a socket
-int MacSocket_send(const int inSocketNum,void *inBuff,int inBuffLength);
+int MacSocket_send(const int inSocketNum,const void *inBuff,int inBuffLength);
 //	If zero bytes were read in a call to MacSocket_recv(), it may be that the remote end has done a half-close
--- a/Makefile.org
+++ b/Makefile.org
@@ -15,6 +15,11 @@ OPTIONS=
 CONFIGURE_ARGS=
 SHLIB_TARGET=
 # HERE indicates where this Makefile lives.  This can be used to indicate
 # where sub-Makefiles are expected to be.  Currently has very limited usage,
 # and should probably not be bothered with at all.
 HERE=.
 # INSTALL_PREFIX is for package builders so that they can configure
 # for, say, /usr/ and yet have everything installed to /tmp/somedir/usr/.
 # Normally it is left empty.
@@ -59,13 +64,22 @@ DEPFLAG=
 PEX_LIBS= 
 EX_LIBS= 
 EXE_EXT= 
-AR=ar r
+ARFLAGS=
 AR=ar $(ARFLAGS) r
 RANLIB= ranlib
 PERL= perl
 TAR= tar
 TARFLAGS= --no-recursion
 MAKEDEPPROG=makedepend
 # We let the C compiler driver to take care of .s files. This is done in
 # order to be excused from maintaining a separate set of architecture
 # dependent assembler flags. E.g. if you throw -mcpu=ultrasparc at SPARC
 # gcc, then the driver will automatically translate it to -xarch=v8plus
 # and pass it down to assembler.
 AS=$(CC) -c
 ASFLAGS=$(CFLAG)
 # Set BN_ASM to bn_asm.o if you want to use the C version
 BN_ASM= bn_asm.o
 #BN_ASM= bn_asm.o
@@ -166,7 +180,7 @@ SHLIBDIRS= crypto ssl
 SDIRS=  \
 	md2 md4 md5 sha mdc2 hmac ripemd \
 	des rc2 rc4 rc5 idea bf cast \
-	bn ec rsa dsa ecdsa dh dso engine aes \
+	bn ec rsa dsa dh dso engine aes \
 	buffer bio stack lhash rand err objects \
 	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5
@@ -204,14 +218,14 @@ HEADER=         e_os.h
 # When we're prepared to use shared libraries in the programs we link here
 # we might remove 'clean-shared' from the targets to perform at this stage
-all: Makefile.ssl sub_all
+all: Makefile.ssl sub_all openssl.pc
 sub_all:
 	@for i in $(DIRS); \
 	do \
 	if [ -d "$$i" ]; then \
 		(cd $$i && echo "making all in $$i..." && \
-		$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' all ) || exit 1; \
+		$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAGS='${ASFLAGS}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' all ) || exit 1; \
 	else \
 		$(MAKE) $$i; \
 	fi; \
@@ -241,7 +255,7 @@ clean-shared:
 		fi; \
 		( set -x; rm -f lib$$i$(SHLIB_EXT) ); \
 		if [ "$(PLATFORM)" = "Cygwin" ]; then \
-			( set -x; rm -f cyg$$i$(SHLIB_EXT) lib$$i$(SHLIB_EXT).a ); \
+			( set -x; rm -f cyg$$i-$(SHLIB_VERSION_NUMBER)$(SHLIB_EXT) lib$$i$(SHLIB_EXT).a ); \
 		fi; \
 	done
@@ -251,7 +265,8 @@ link-shared:
 		for i in $(SHLIBDIRS); do \
 			prev=lib$$i$(SHLIB_EXT); \
 			for j in $${tmp:-x}; do \
-				( set -x; ln -f -s $$prev lib$$i$$j ); \
+				( set -x; \
 				rm -f lib$$i$$j; ln -s $$prev lib$$i$$j ); \
 				prev=lib$$i$$j; \
 			done; \
 		done; \
@@ -263,41 +278,45 @@ do_bsd-gcc-shared: do_gnu-shared
 do_linux-shared: do_gnu-shared
 do_gnu-shared:
 	libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
 	if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
 		libs="$(LIBKRB5) $$libs"; \
 	fi; \
 	( set -x; ${CC} ${SHARED_LDFLAGS} \
 		-shared -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 		-Wl,-soname=lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 		-Wl,-Bsymbolic \
 		-Wl,--whole-archive lib$$i.a \
 		-Wl,--no-whole-archive $$libs ${EX_LIBS} -lc ) || exit 1; \
-	libs="$$libs -l$$i"; \
+	libs="-l$$i $$libs"; \
 	done
-DETECT_GNU_LD=${CC} -v 2>&1 | grep '^gcc' >/dev/null 2>&1 && \
+DETECT_GNU_LD=(${CC} -Wl,-V /dev/null 2>&1 | grep '^GNU ld' )>/dev/null
 	collect2=`gcc -print-prog-name=collect2 2>&1` && \
 	[ -n "$$collect2" ] && \
 	my_ld=`$$collect2 --help 2>&1 | grep Usage: | sed 's/^Usage: *\([^ ][^ ]*\).*/\1/'` && \
 	[ -n "$$my_ld" ] && \
 	$$my_ld -v 2>&1 | grep 'GNU ld' >/dev/null 2>&1
 # For Darwin AKA Mac OS/X (dyld)
 do_darwin-shared: 
 	libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
 	if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
 		libs="$(LIBKRB5) $$libs"; \
 	fi; \
 	( set -x; ${CC} --verbose -dynamiclib -o lib$$i${SHLIB_EXT} \
 		lib$$i.a $$libs -all_load -current_version ${SHLIB_MAJOR}.${SHLIB_MINOR} \
 		-compatibility_version ${SHLIB_MAJOR}.`echo ${SHLIB_MINOR} | cut -d. -f1` \
 		-install_name ${INSTALLTOP}/lib/lib$$i${SHLIB_EXT} ) || exit 1; \
-	libs="$$libs -l`basename $$i${SHLIB_EXT} .dylib`"; \
+	libs="-l`basename $$i${SHLIB_EXT} .dylib` $$libs"; \
 	echo "" ; \
 	done
 do_cygwin-shared:
 	libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
-	( set -x; ${CC}  -shared -o cyg$$i.dll \
+	if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
 		libs="$(LIBKRB5) $$libs"; \
 	fi; \
 	( set -x; ${CC}  -shared -o cyg$$i-$(SHLIB_VERSION_NUMBER).dll \
 		-Wl,-Bsymbolic \
 		-Wl,--whole-archive lib$$i.a \
 		-Wl,--out-implib,lib$$i.dll.a \
 		-Wl,--no-whole-archive $$libs ) || exit 1; \
-	libs="$$libs -l$$i"; \
+	libs="-l$$i $$libs"; \
 	done
 # This assumes that GNU utilities are *not* used
@@ -306,11 +325,14 @@ do_alpha-osf1-shared:
 		$(MAKE) do_gnu-shared; \
 	else \
 		libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
 		if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
 			libs="$(LIBKRB5) $$libs"; \
 		fi; \
 		( set -x; ${CC} ${SHARED_LDFLAGS} \
 			-shared -o lib$$i.so \
 			-set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \
 			-all lib$$i.a -none $$libs ${EX_LIBS} -lc ) || exit 1; \
-		libs="$$libs -l$$i"; \
+		libs="-l$$i $$libs"; \
 		done; \
 	fi
@@ -322,11 +344,14 @@ do_tru64-shared:
 		$(MAKE) do_gnu-shared; \
 	else \
 		libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
 		if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
 			libs="$(LIBKRB5) $$libs"; \
 		fi; \
 		( set -x; ${CC} ${SHARED_LDFLAGS} \
 			-shared -msym -o lib$$i.so \
 			-set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \
 			-all lib$$i.a -none $$libs ${EX_LIBS} -lc ) || exit 1; \
-		libs="$$libs -l$$i"; \
+		libs="-l$$i $$libs"; \
 		done; \
 	fi
@@ -338,12 +363,15 @@ do_tru64-shared-rpath:
 		$(MAKE) do_gnu-shared; \
 	else \
 		libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
 		if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
 			libs="$(LIBKRB5) $$libs"; \
 		fi; \
 		( set -x; ${CC} ${SHARED_LDFLAGS} \
 			-shared -msym -o lib$$i.so \
 			-rpath  ${INSTALLTOP}/lib \
 			-set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \
 			-all lib$$i.a -none $$libs ${EX_LIBS} -lc ) || exit 1; \
-		libs="$$libs -l$$i"; \
+		libs="-l$$i $$libs"; \
 		done; \
 	fi
@@ -354,12 +382,18 @@ do_solaris-shared:
 		$(MAKE) do_gnu-shared; \
 	else \
 		libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
 		if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
 			libs="$(LIBKRB5) $$libs"; \
 		fi; \
 		( PATH=/usr/ccs/bin:$$PATH ; export PATH; \
-		  set -x; ${CC} ${SHARED_LDFLAGS} \
+		  MINUSZ='-z '; \
-			-G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
+		  (${CC} -v 2>&1 | grep gcc) > /dev/null && MINUSZ='-Wl,-z,'; \
 		  set -x; ${CC} ${SHARED_LDFLAGS} -G -dy -z text \
 			-o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			-h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-			-z allextract lib$$i.a $$libs ${EX_LIBS} -lc ) || exit 1; \
+			$${MINUSZ}allextract lib$$i.a $${MINUSZ}defaultextract \
-		libs="$$libs -l$$i"; \
+			$$libs ${EX_LIBS} -lc ) || exit 1; \
 		libs="-l$$i $$libs"; \
 		done; \
 	fi
@@ -369,6 +403,9 @@ do_svr3-shared:
 		$(MAKE) do_gnu-shared; \
 	else \
 		libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
 		if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
 			libs="$(LIBKRB5) $$libs"; \
 		fi; \
 		( PATH=/usr/ccs/bin:$$PATH ; export PATH; \
 		  find . -name "*.o" -print > allobjs ; \
 		  OBJS= ; export OBJS ; \
@@ -378,7 +415,7 @@ do_svr3-shared:
 		  set -x; ${CC}  -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			-h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			$${OBJS} $$libs ${EX_LIBS} ) || exit 1; \
-		libs="$$libs -l$$i"; \
+		libs="-l$$i $$libs"; \
 		done; \
 	fi
@@ -388,6 +425,9 @@ do_svr5-shared:
 		$(MAKE) do_gnu-shared; \
 	else \
 		libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
 		if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
 			libs="$(LIBKRB5) $$libs"; \
 		fi; \
 		( PATH=/usr/ccs/bin:$$PATH ; export PATH; \
 		  find . -name "*.o" -print > allobjs ; \
 		  OBJS= ; export OBJS ; \
@@ -398,7 +438,7 @@ do_svr5-shared:
 			-G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			-h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			$${OBJS} $$libs ${EX_LIBS} ) || exit 1; \
-		libs="$$libs -l$$i"; \
+		libs="-l$$i $$libs"; \
 		done; \
 	fi
@@ -408,11 +448,14 @@ do_irix-shared:
 		$(MAKE) do_gnu-shared; \
 	else \
 		libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
 		if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
 			libs="$(LIBKRB5) $$libs"; \
 		fi; \
 		( set -x; ${CC} ${SHARED_LDFLAGS} \
 			-shared -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			-Wl,-soname,lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			-all lib$$i.a $$libs ${EX_LIBS} -lc) || exit 1; \
-		libs="$$libs -l$$i"; \
+		libs="-l$$i $$libs"; \
 		done; \
 	fi
@@ -429,6 +472,9 @@ do_irix-shared:
 #
 do_hpux-shared:
 	for i in ${SHLIBDIRS}; do \
 	if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
 		libs="$(LIBKRB5) $$libs"; \
 	fi; \
 	( set -x; /usr/ccs/bin/ld ${SHARED_LDFLAGS} \
 		+vnocompatwarnings \
 		-b -z +s \
@@ -449,6 +495,9 @@ do_hpux-shared:
 #
 do_hpux64-shared:
 	for i in ${SHLIBDIRS}; do \
 	if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
 		libs="$(LIBKRB5) $$libs"; \
 	fi; \
 	( set -x; /usr/ccs/bin/ld ${SHARED_LDFLAGS} \
 		-b -z \
 		-o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
@@ -491,17 +540,24 @@ SHAREDFLAGS=${SHARED_LDFLAGS} -G -bE:lib$$i.exp -bM:SRE
 SHAREDCMD=$(CC)
 do_aix-shared:
 	libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
 	if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
 		libs="$(LIBKRB5) $$libs"; \
 	fi; \
 	( set -x; \
-	  ld -r -o $$i.o $(ALLSYMSFLAG) lib$$i.a && \
+	  ld -r -o lib$$i.o $(ALLSYMSFLAG) lib$$i.a && \
 	  ( nm -Pg lib$$i.o | grep ' [BD] ' | cut -f1 -d' ' > lib$$i.exp; \
-	    $(SHAREDCMD) $(SHAREDFLAG) -o lib$$i.so lib$$i.o \
+	    $(SHAREDCMD) $(SHAREDFLAGS) \
 		-o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} lib$$i.o \
 		$$libs ${EX_LIBS} ) ) \
 	|| exit 1; \
-	libs="$$libs -l$$i"; \
+	libs="-l$$i $$libs"; \
 	done
 do_reliantunix-shared:
 	libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
 	if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
 		libs="$(LIBKRB5) $$libs"; \
 	fi; \
 	tmpdir=/tmp/openssl.$$$$ ; rm -rf $$tmpdir ; \
 	( set -x; \
 	  ( Opwd=`pwd` ; mkdir $$tmpdir || exit 1; \
@@ -511,9 +567,22 @@ do_reliantunix-shared:
 	  cp $$tmpdir/lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} . ; \
 	) || exit 1; \
 	rm -rf $$tmpdir ; \
-	libs="$$libs -l$$i"; \
+	libs="-l$$i $$libs"; \
 	done
 openssl.pc: Makefile.ssl
 	@ ( echo 'prefix=$(INSTALLTOP)'; \
 	    echo 'exec_prefix=$${prefix}'; \
 	    echo 'libdir=$${exec_prefix}/lib'; \
 	    echo 'includedir=$${prefix}/include'; \
 	    echo ''; \
 	    echo 'Name: OpenSSL'; \
 	    echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \
 	    echo 'Version: '$(VERSION); \
 	    echo 'Requires: '; \
 	    echo 'Libs: -L$${libdir} -lssl -lcrypto $(LIBKRB5) $(EX_LIBS)'; \
 	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc
 Makefile.ssl: Makefile.org
 	@echo "Makefile.ssl is older than Makefile.org."
 	@echo "Reconfigure the source tree (via './config' or 'perl Configure'), please."
@@ -532,6 +601,7 @@ clean:
 		rm -f $(LIBS); \
 	fi; \
 	done;
 	rm -f openssl.pc
 	rm -f *.a *.o speed.* *.map *.so .pure core
 	rm -f $(TARFILE)
 	@for i in $(ONEDIRS) ;\
@@ -564,6 +634,10 @@ links:
 	fi; \
 	done;
 gentests:
 	@(cd test && echo "generating dummy tests (if needed)..." && \
 	$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on generate );
 dclean:
 	rm -f *.bak
 	@for i in $(DIRS) ;\
@@ -579,7 +653,8 @@ rehash.time: certs
 	@(OPENSSL="`pwd`/apps/openssl"; OPENSSL_DEBUG_MEMORY=on; \
 		export OPENSSL OPENSSL_DEBUG_MEMORY; \
 		LD_LIBRARY_PATH="`pwd`"; DYLD_LIBRARY_PATH="`pwd`"; SHLIB_PATH="`pwd`"; LIBPATH="`pwd`"; \
-		export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH; \
+		if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \
 		export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \
 		$(PERL) tools/c_rehash certs)
 	touch rehash.time
@@ -589,7 +664,8 @@ tests: rehash
 	@(cd test && echo "testing..." && \
 	$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on tests );
 	@LD_LIBRARY_PATH="`pwd`"; DYLD_LIBRARY_PATH="`pwd`"; SHLIB_PATH="`pwd`"; LIBPATH="`pwd`"; \
-		export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH; \
+		if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \
 		export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \
 		apps/openssl version -a
 report:
@@ -652,6 +728,9 @@ update: depend errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_
 # and read directly, requiring GNU-Tar. Call "make TAR=gtar dist" if the normal
 # tar does not support the --files-from option.
 tar:
 	find . -type d -print | xargs chmod 755
 	find . -type f -print | xargs chmod a+r
 	find . -type f -perm -0100 -print | xargs chmod a+x
 	find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE | sort > ../$(TARFILE).list; \
 	$(TAR) $(TARFLAGS) --files-from ../$(TARFILE).list -cvf - | \
 	tardy --user_number=0  --user_name=openssl \
@@ -681,6 +760,7 @@ dist_pem_h:
 install: all install_docs
 	@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
 		$(INSTALL_PREFIX)$(INSTALLTOP)/lib \
 		$(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig \
 		$(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \
 		$(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
 		$(INSTALL_PREFIX)$(OPENSSLDIR)/certs \
@@ -702,9 +782,10 @@ install: all install_docs
 	do \
 		if [ -f "$$i" ]; then \
 		(       echo installing $$i; \
-			cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
+			cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
-			$(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
+			$(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
-			chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
+			chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
 			mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
 		fi; \
 	done;
 	@if [ -n "$(SHARED_LIBS)" ]; then \
@@ -714,21 +795,32 @@ install: all install_docs
 			if [ -f "$$i" -o -f "$$i.a" ]; then \
 			(       echo installing $$i; \
 				if [ "$(PLATFORM)" != "Cygwin" ]; then \
-					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
+					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
-					chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
+					chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
 					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
 				else \
-					c=`echo $$i | sed 's/^lib/cyg/'`; \
+					c=`echo $$i | sed 's/^lib\(.*\)\.dll/cyg\1-$(SHLIB_VERSION_NUMBER).dll/'`; \
-					cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
+					cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
-					chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
+					chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
-					cp $$i.a $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \
+					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
-					chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \
+					cp $$i.a $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new; \
 					chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new; \
 					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \
 				fi ); \
 			fi; \
 		done; \
 		(	here="`pwd`"; \
 			cd $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
-			make -f $$here/Makefile link-shared ); \
+			set $(MAKE); \
 			$$1 -f $$here/Makefile link-shared ); \
 		if [ "$(INSTALLTOP)" != "/usr" ]; then \
 			echo 'OpenSSL shared libraries have been installed in:'; \
 			echo '  $(INSTALLTOP)'; \
 			echo ''; \
 			sed -e '1,/^$$/d' doc/openssl-shared.txt; \
 		fi; \
 	fi
 	cp openssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig
 install_docs:
 	@$(PERL) $(TOP)/util/mkdir-p.pl \
@@ -736,25 +828,43 @@ install_docs:
 		$(INSTALL_PREFIX)$(MANDIR)/man3 \
 		$(INSTALL_PREFIX)$(MANDIR)/man5 \
 		$(INSTALL_PREFIX)$(MANDIR)/man7
-	@for i in doc/apps/*.pod; do \
+	@pod2man="`cd util; ./pod2mantest $(PERL)`"; \
 	here="`pwd`"; \
 	filecase=; \
 	if [ "$(PLATFORM)" = "DJGPP" -o "$(PLATFORM)" = "Cygwin" ]; then \
 		filecase=-i; \
 	fi; \
 	for i in doc/apps/*.pod; do \
 		fn=`basename $$i .pod`; \
 		if [ "$$fn" = "config" ]; then sec=5; else sec=1; fi; \
-		echo "installing man$$sec/`basename $$i .pod`.$$sec"; \
+		echo "installing man$$sec/$$fn.$$sec"; \
 		(cd `$(PERL) util/dirname.pl $$i`; \
-		sh -c "$(PERL) `cd ../../util; ./pod2mantest ignore` \
+		sh -c "$$pod2man \
 			--section=$$sec --center=OpenSSL \
 			--release=$(VERSION) `basename $$i`") \
-			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \
+			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$$sec; \
-	done
+		$(PERL) util/extract-names.pl < $$i | \
-	@for i in doc/crypto/*.pod doc/ssl/*.pod; do \
+			grep -v $$filecase "^$$fn\$$" | \
 			(cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \
 			 while read n; do \
 				$$here/util/point.sh $$fn.$$sec $$n.$$sec; \
 			 done); \
 	done; \
 	for i in doc/crypto/*.pod doc/ssl/*.pod; do \
 		fn=`basename $$i .pod`; \
 		if [ "$$fn" = "des_modes" ]; then sec=7; else sec=3; fi; \
-		echo "installing man$$sec/`basename $$i .pod`.$$sec"; \
+		echo "installing man$$sec/$$fn.$$sec"; \
 		(cd `$(PERL) util/dirname.pl $$i`; \
-		sh -c "$(PERL) `cd ../../util; ./pod2mantest ignore` \
+		sh -c "$$pod2man \
 			--section=$$sec --center=OpenSSL \
 			--release=$(VERSION) `basename $$i`") \
-			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \
+			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$$sec; \
 		$(PERL) util/extract-names.pl < $$i | \
 			grep -v $$filecase "^$$fn\$$" | \
 			(cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \
 			 while read n; do \
 				$$here/util/point.sh $$fn.$$sec $$n.$$sec; \
 			 done); \
 	done
 # DO NOT DELETE THIS LINE -- make depend depends on it.
--- a/53
+++ b/53
@@ -5,6 +5,17 @@
  This file gives a brief overview of the major changes between each OpenSSL
  release. For more details please read the CHANGES file.
  Major changes between OpenSSL 0.9.7 and OpenSSL 0.9.7a:
      o Security: Important security related bugfixes.
      o Enhanced compatibility with MIT Kerberos.
      o Can be built without the ENGINE framework.
      o IA32 assembler enhancements.
      o Support for new platforms: FreeBSD/IA64 and FreeBSD/Sparc64.
      o Configuration: the no-err option now works properly.
      o SSL/TLS: now handles manual certificate chain building.
      o SSL/TLS: certain session ID malfunctions corrected.
  Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.7:
      o New library section OCSP.
@@ -17,6 +28,15 @@
        a separate distribution.
      o New elliptic curve library section.
      o New AES (Rijndael) library section.
      o Support for new platforms: Windows CE, Tandem OSS, A/UX, AIX 64-bit,
        Linux x86_64, Linux 64-bit on Sparc v9
      o Extended support for some platforms: VxWorks
      o Enhanced support for shared libraries.
      o Now only builds PIC code when shared library support is requested.
      o Support for pkg-config.
      o Lots of new manuals.
      o Makes symbolic links to or copies of manuals to cover all described
        functions.
      o Change DES API to clean up the namespace (some applications link also
        against libdes providing similar functions having the same name).
        Provide macros for backward compatibility (will be removed in the
@@ -30,16 +50,49 @@
      o Reworked parts of the BIGNUM code.
      o Support for new engines: Broadcom ubsec, Accelerated Encryption
        Processing, IBM 4758.
      o A few new engines added in the demos area.
      o Extended and corrected OID (object identifier) table.
      o PRNG: query at more locations for a random device, automatic query for
        EGD style random sources at several locations.
      o SSL/TLS: allow optional cipher choice according to server's preference.
      o SSL/TLS: allow server to explicitly set new session ids.
      o SSL/TLS: support Kerberos cipher suites (RFC2712).
 	Only supports MIT Kerberos for now.
      o SSL/TLS: allow more precise control of renegotiations and sessions.
      o SSL/TLS: add callback to retrieve SSL/TLS messages.
      o SSL/TLS: support AES cipher suites (RFC3268).
  Major changes between OpenSSL 0.9.6h and OpenSSL 0.9.6i:
      o Important security related bugfixes.
  Major changes between OpenSSL 0.9.6g and OpenSSL 0.9.6h:
      o New configuration targets for Tandem OSS and A/UX.
      o New OIDs for Microsoft attributes.
      o Better handling of SSL session caching.
      o Better comparison of distinguished names.
      o Better handling of shared libraries in a mixed GNU/non-GNU environment.
      o Support assembler code with Borland C.
      o Fixes for length problems.
      o Fixes for uninitialised variables.
      o Fixes for memory leaks, some unusual crashes and some race conditions.
      o Fixes for smaller building problems.
      o Updates of manuals, FAQ and other instructive documents.
  Major changes between OpenSSL 0.9.6f and OpenSSL 0.9.6g:
      o Important building fixes on Unix.
  Major changes between OpenSSL 0.9.6e and OpenSSL 0.9.6f:
      o Various important bugfixes.
  Major changes between OpenSSL 0.9.6d and OpenSSL 0.9.6e:
      o Important security related bugfixes.
      o Various SSL/TLS library bugfixes.
  Major changes between OpenSSL 0.9.6c and OpenSSL 0.9.6d:
      o Various SSL/TLS library bugfixes.
--- a/60
+++ b/60
@@ -38,3 +38,63 @@ may differ on your machine.
 As long as Apple doesn't fix the problem with ld, this problem building
 OpenSSL will remain as is.
 * Parallell make leads to errors
 While running tests, running a parallell make is a bad idea.  Many test
 scripts use the same name for output and input files, which means different
 will interfere with each other and lead to test failure.
 The solution is simple for now: don't run parallell make when testing.
 * Bugs in gcc 3.0 triggered
 According to a problem report, there are bugs in gcc 3.0 that are
 triggered by some of the code in OpenSSL, more specifically in
 PEM_get_EVP_CIPHER_INFO().  The triggering code is the following:
 	header+=11;
 	if (*header != '4') return(0); header++;
 	if (*header != ',') return(0); header++;
 What happens is that gcc might optimize a little too agressively, and
 you end up with an extra incrementation when *header != '4'.
 We recommend that you upgrade gcc to as high a 3.x version as you can.
 * solaris64-sparcv9-cc SHA-1 performance with WorkShop 6 compiler.
 As subject suggests SHA-1 might perform poorly (4 times slower)
 if compiled with WorkShop 6 compiler and -xarch=v9. The cause for
 this seems to be the fact that compiler emits multiplication to
 perform shift operations:-( To work the problem around configure
 with './Configure solaris64-sparcv9-cc -DMD32_REG_T=int'.
 * Problems with hp-parisc2-cc target when used with "no-asm" flag
 When using the hp-parisc2-cc target, wrong bignum code is generated.
 This is due to the SIXTY_FOUR_BIT build being compiled with the +O3
 aggressive optimization.
 The problem manifests itself by the BN_kronecker test hanging in an
 endless loop. Reason: the BN_kronecker test calls BN_generate_prime()
 which itself hangs. The reason could be tracked down to the bn_mul_comba8()
 function in bn_asm.c. At some occasions the higher 32bit value of r[7]
 is off by 1 (meaning: calculated=shouldbe+1). Further analysis failed,
 as no debugger support possible at +O3 and additional fprintf()'s
 introduced fixed the bug, therefore it is most likely a bug in the
 optimizer.
 The bug was found in the BN_kronecker test but may also lead to
 failures in other parts of the code.
 (See Ticket #426.)
 Workaround: modify the target to +O2 when building with no-asm.
 * Poor support for AIX shared builds.
 do_aix-shared rule is not flexible enough to parameterize through a
 config-line. './Configure aix43-cc shared' is working, but not
 './Configure aix64-gcc shared'. In latter case make fails to create shared
 libraries. It's possible to build 64-bit shared libraries by running
 'env OBJECT_MODE=64 make', but we need more elegant solution. Preferably one
 supporting even gcc shared builds. See RT#463 for background information.
--- a/10
+++ b/10
@@ -1,7 +1,7 @@
- OpenSSL 0.9.8-dev XX xxx XXXX
+ OpenSSL 0.9.7a Feb 19 2003
- Copyright (c) 1998-2002 The OpenSSL Project
+ Copyright (c) 1998-2003 The OpenSSL Project
 Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
 All rights reserved.
@@ -154,7 +154,7 @@
    - Stack Traceback (if the application dumps core)
 Report the bug to the OpenSSL project via the Request Tracker
- (http://www.openssl.org/rt2.html) by mail to:
+ (http://www.openssl.org/support/rt2.html) by mail to:
    openssl-bugs@openssl.org
@@ -173,7 +173,9 @@
 textual explanation of what your patch does.
 Note: For legal reasons, contributions from the US can be accepted only
- if a copy of the patch is sent to crypt@bxa.doc.gov
+ if a TSA notification and a copy of the patch is sent to crypt@bis.doc.gov;
 see http://www.bis.doc.gov/Encryption/PubAvailEncSourceCodeNofify.html [sic]
 and http://w3.access.gpo.gov/bis/ear/pdf/740.pdf (EAR Section 740.13(e)).
 The preferred format for changes is "diff -u" output. You might
 generate it like this:
--- a/27
+++ b/27
@@ -1,12 +1,17 @@
  OpenSSL STATUS                           Last modified at
-  ______________                           $Date: 2002/06/16 18:20:28 $
+  ______________                           $Date: 2003/02/19 12:33:52 $
  DEVELOPMENT STATE
    o  OpenSSL 0.9.8:  Under development...
-    o  OpenSSL 0.9.7-beta2: Released on June 16th, 2002
+    o  OpenSSL 0.9.7a: Released on February  19th, 2003
-    o  OpenSSL 0.9.7-beta1: Released on June  1st, 2002
+    o  OpenSSL 0.9.7:  Released on December  31st, 2002
    o  OpenSSL 0.9.6i: Released on February  19th, 2003
    o  OpenSSL 0.9.6h: Released on December   5th, 2002
    o  OpenSSL 0.9.6g: Released on August     9th, 2002
    o  OpenSSL 0.9.6f: Released on August     8th, 2002
    o  OpenSSL 0.9.6e: Released on July      30th, 2002
    o  OpenSSL 0.9.6d: Released on May        9th, 2002
    o  OpenSSL 0.9.6c: Released on December  21st, 2001
    o  OpenSSL 0.9.6b: Released on July       9th, 2001
@@ -24,8 +29,17 @@
  RELEASE SHOWSTOPPERS
-    o BN_mod_mul verification fails for mips3-sgi-irix
+    o [2002-11-21]
-      unless configured with no-asm
+      PR 343 mentions that scrubbing memory with 'memset(ptr, 0, n)' may
      be optimized away in modern compilers.  This is definitely not good
      and needs to be fixed immediately.  The formula to use is presented
      in:
      http://online.securityfocus.com/archive/82/297918/2002-10-27/2002-11-02/0
      The problem report that mentions this is:
      https://www.aet.TU-Cottbus.DE/rt2/Ticket/Display.html?id=343
  AVAILABLE PATCHES
@@ -48,9 +62,8 @@
 	UTIL (a new set of library functions to support some higher level
 	      functionality that is currently missing).
 	Shared library support for VMS.
-	Kerberos 5 authentication
+	Kerberos 5 authentication (Heimdal)
 	Constification
 	OCSP
  NEEDS PATCH
--- a/882
+++ b/882
--- a/VMS/tcpip_shr_decc.opt
+++ b/VMS/tcpip_shr_decc.opt
@@ -0,0 +1 @@
 sys$share:tcpip$ipc_shr.exe/share
--- a/apps/Makefile.ssl
+++ b/apps/Makefile.ssl
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -114,9 +114,7 @@
 #include <string.h>
 #include <sys/types.h>
 #include <sys/stat.h>
-#define NON_MAIN
+#include <ctype.h>
 #include "apps.h"
 #undef NON_MAIN
 #include <openssl/err.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
@@ -124,7 +122,9 @@
 #include <openssl/pkcs12.h>
 #include <openssl/ui.h>
 #include <openssl/safestack.h>
 #ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
 #endif
 #ifdef OPENSSL_SYS_WINDOWS
 #define strcasecmp _stricmp
@@ -136,6 +136,10 @@
 #  endif /* NO_STRINGS_H */
 #endif
 #define NON_MAIN
 #include "apps.h"
 #undef NON_MAIN
 #ifdef OPENSSL_SYS_WINDOWS
 #  include "bss_file.c"
 #endif
@@ -335,8 +339,7 @@ void program_name(char *in, char *out, int size)
 		p++;
 	else
 		p=in;
-	strncpy(out,p,size-1);
+	BUF_strlcpy(out,p,size);
 	out[size-1]='\0';
 	}
 #endif
 #endif
@@ -344,6 +347,7 @@ void program_name(char *in, char *out, int size)
 #ifdef OPENSSL_SYS_WIN32
 int WIN32_rename(char *from, char *to)
 	{
 #ifndef OPENSSL_SYS_WINCE
 	/* Windows rename gives an error if 'to' exists, so delete it
 	 * first and ignore file not found errror
 	 */
@@ -351,6 +355,46 @@ int WIN32_rename(char *from, char *to)
 		return -1;
 #undef rename
 	return rename(from, to);
 #else
 	/* convert strings to UNICODE */
 	{
 	BOOL result = FALSE;
 	WCHAR* wfrom;
 	WCHAR* wto;
 	int i;
 	wfrom = malloc((strlen(from)+1)*2);
 	wto = malloc((strlen(to)+1)*2);
 	if (wfrom != NULL && wto != NULL)
 		{
 		for (i=0; i<(int)strlen(from)+1; i++)
 			wfrom[i] = (short)from[i];
 		for (i=0; i<(int)strlen(to)+1; i++)
 			wto[i] = (short)to[i];
 		result = MoveFile(wfrom, wto);
 		}
 	if (wfrom != NULL)
 		free(wfrom);
 	if (wto != NULL)
 		free(wto);
 	return result;
 	}
 #endif
 	}
 #endif
 #ifdef OPENSSL_SYS_VMS
 int VMS_strcasecmp(const char *str1, const char *str2)
 	{
 	while (*str1 && *str2)
 		{
 		int res = toupper(*str1) - toupper(*str2);
 		if (res) return res < 0 ? -1 : 1;
 		}
 	if (*str1)
 		return 1;
 	if (*str2)
 		return -1;
 	return 0;
 	}
 #endif
@@ -429,15 +473,19 @@ int app_init(long mesgwin)
 int dump_cert_text (BIO *out, X509 *x)
 {
-	char buf[256];
+	char *p;
 	X509_NAME_oneline(X509_get_subject_name(x),buf,256);
 	BIO_puts(out,"subject=");
 	BIO_puts(out,buf);
-	X509_NAME_oneline(X509_get_issuer_name(x),buf,256);
+	p=X509_NAME_oneline(X509_get_subject_name(x),NULL,0);
 	BIO_puts(out,"subject=");
 	BIO_puts(out,p);
 	OPENSSL_free(p);
 	p=X509_NAME_oneline(X509_get_issuer_name(x),NULL,0);
 	BIO_puts(out,"\nissuer=");
-	BIO_puts(out,buf);
+	BIO_puts(out,p);
 	BIO_puts(out,"\n");
 	OPENSSL_free(p);
 	return 0;
 }
@@ -569,7 +617,7 @@ int password_callback(char *buf, int bufsiz, int verify,
 		if (buff)
 			{
-			memset(buff,0,(unsigned int)bufsiz);
+			OPENSSL_cleanse(buff,(unsigned int)bufsiz);
 			OPENSSL_free(buff);
 			}
@@ -579,13 +627,13 @@ int password_callback(char *buf, int bufsiz, int verify,
 			{
 			BIO_printf(bio_err, "User interface error\n");
 			ERR_print_errors(bio_err);
-			memset(buf,0,(unsigned int)bufsiz);
+			OPENSSL_cleanse(buf,(unsigned int)bufsiz);
 			res = 0;
 			}
 		if (ok == -2)
 			{
 			BIO_printf(bio_err,"aborted!\n");
-			memset(buf,0,(unsigned int)bufsiz);
+			OPENSSL_cleanse(buf,(unsigned int)bufsiz);
 			res = 0;
 			}
 		UI_free(ui);
@@ -798,7 +846,7 @@ end:
 	return(x);
 	}
-EVP_PKEY *load_key(BIO *err, const char *file, int format,
+EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
 	const char *pass, ENGINE *e, const char *key_descrip)
 	{
 	BIO *key=NULL;
@@ -808,11 +856,12 @@ EVP_PKEY *load_key(BIO *err, const char *file, int format,
 	cb_data.password = pass;
 	cb_data.prompt_info = file;
-	if (file == NULL)
+	if (file == NULL && (!maybe_stdin || format == FORMAT_ENGINE))
 		{
 		BIO_printf(err,"no keyfile specified\n");
 		goto end;
 		}
 #ifndef OPENSSL_NO_ENGINE
 	if (format == FORMAT_ENGINE)
 		{
 		if (!e)
@@ -822,15 +871,23 @@ EVP_PKEY *load_key(BIO *err, const char *file, int format,
 				ui_method, &cb_data);
 		goto end;
 		}
 #endif
 	key=BIO_new(BIO_s_file());
 	if (key == NULL)
 		{
 		ERR_print_errors(err);
 		goto end;
 		}
 	if (file == NULL && maybe_stdin)
 		{
 		setvbuf(stdin, NULL, _IONBF, 0);
 		BIO_set_fp(key,stdin,BIO_NOCLOSE);
 		}
 	else
 		if (BIO_read_filename(key,file) <= 0)
 			{
-		BIO_printf(err, "Error opening %s %s\n", key_descrip, file);
+			BIO_printf(err, "Error opening %s %s\n",
 				key_descrip, file);
 			ERR_print_errors(err);
 			goto end;
 			}
@@ -867,7 +924,7 @@ EVP_PKEY *load_key(BIO *err, const char *file, int format,
 	return(pkey);
 	}
-EVP_PKEY *load_pubkey(BIO *err, const char *file, int format,
+EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin,
 	const char *pass, ENGINE *e, const char *key_descrip)
 	{
 	BIO *key=NULL;
@@ -877,11 +934,12 @@ EVP_PKEY *load_pubkey(BIO *err, const char *file, int format,
 	cb_data.password = pass;
 	cb_data.prompt_info = file;
-	if (file == NULL)
+	if (file == NULL && (!maybe_stdin || format == FORMAT_ENGINE))
 		{
 		BIO_printf(err,"no keyfile specified\n");
 		goto end;
 		}
 #ifndef OPENSSL_NO_ENGINE
 	if (format == FORMAT_ENGINE)
 		{
 		if (!e)
@@ -891,15 +949,23 @@ EVP_PKEY *load_pubkey(BIO *err, const char *file, int format,
 				ui_method, &cb_data);
 		goto end;
 		}
 #endif
 	key=BIO_new(BIO_s_file());
 	if (key == NULL)
 		{
 		ERR_print_errors(err);
 		goto end;
 		}
 	if (file == NULL && maybe_stdin)
 		{
 		setvbuf(stdin, NULL, _IONBF, 0);
 		BIO_set_fp(key,stdin,BIO_NOCLOSE);
 		}
 	else
 		if (BIO_read_filename(key,file) <= 0)
 			{
-		BIO_printf(err, "Error opening %s %s\n", key_descrip, file);
+			BIO_printf(err, "Error opening %s %s\n",
 				key_descrip, file);
 			ERR_print_errors(err);
 			goto end;
 		}
@@ -946,7 +1012,7 @@ load_netscape_key(BIO *err, BIO *key, const char *file,
 		goto error;
 	for (;;)
 		{
-		if (!BUF_MEM_grow(buf,size+1024*10))
+		if (!BUF_MEM_grow_clean(buf,size+1024*10))
 			goto error;
 		i = BIO_read(key, &(buf->data[size]), 1024*10);
 		size += i;
@@ -1074,6 +1140,7 @@ int set_cert_ex(unsigned long *flags, const char *arg)
 		{ "no_extensions", X509_FLAG_NO_EXTENSIONS, 0},
 		{ "no_sigdump", X509_FLAG_NO_SIGDUMP, 0},
 		{ "no_aux", X509_FLAG_NO_AUX, 0},
 		{ "no_attributes", X509_FLAG_NO_ATTRIBUTES, 0},
 		{ "ext_default", X509V3_EXT_DEFAULT, X509V3_EXT_UNKNOWN_MASK},
 		{ "ext_error", X509V3_EXT_ERROR_UNKNOWN, X509V3_EXT_UNKNOWN_MASK},
 		{ "ext_parse", X509V3_EXT_PARSE_UNKNOWN, X509V3_EXT_UNKNOWN_MASK},
@@ -1220,6 +1287,7 @@ void print_name(BIO *out, char *title, X509_NAME *nm, unsigned long lflags)
 	char *buf;
 	char mline = 0;
 	int indent = 0;
 	if(title) BIO_puts(out, title);
 	if((lflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) {
 		mline = 1;
@@ -1267,6 +1335,7 @@ X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath)
 	return NULL;
 }
 #ifndef OPENSSL_NO_ENGINE
 /* Try to load an engine in a shareable library */
 static ENGINE *try_load_engine(BIO *err, const char *engine, int debug)
 	{
@@ -1323,6 +1392,7 @@ ENGINE *setup_engine(BIO *err, const char *engine, int debug)
 		}
        return e;
        }
 #endif
 int load_config(BIO *err, CONF *cnf)
 	{
@@ -1341,3 +1411,18 @@ int load_config(BIO *err, CONF *cnf)
 		}
 	return 1;
 	}
 char *make_config_name()
 	{
 	const char *t=X509_get_default_cert_area();
 	char *p;
 	p=OPENSSL_malloc(strlen(t)+strlen(OPENSSL_CONF)+2);
 	strcpy(p,t);
 #ifndef OPENSSL_SYS_VMS
 	strcat(p,"/");
 #endif
 	strcat(p,OPENSSL_CONF);
 	return p;
 	}
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -121,7 +121,9 @@
 #include <openssl/lhash.h>
 #include <openssl/conf.h>
 #include <openssl/txt_db.h>
 #ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
 #endif
 #include <openssl/ossl_typ.h>
 int app_RAND_load_file(const char *file, BIO *bio_e, int dont_warn);
@@ -139,13 +141,21 @@ long app_RAND_load_files(char *file); /* `file' is a list of files to read,
 int WIN32_rename(char *oldname,char *newname);
 #endif
 /* VMS below version 7.0 doesn't have strcasecmp() */
 #ifdef OPENSSL_SYS_VMS
 #define strcasecmp(str1,str2) VMS_strcasecmp((str1),(str2))
 int VMS_strcasecmp(const char *str1, const char *str2);
 #endif
 #ifndef MONOLITH
 #define MAIN(a,v)	main(a,v)
 #ifndef NON_MAIN
 CONF *config=NULL;
 BIO *bio_err=NULL;
 #else
 extern CONF *config;
 extern BIO *bio_err;
 #endif
@@ -171,6 +181,7 @@ extern BIO *bio_err;
 		do_pipe_sig()
 #  define apps_shutdown()
 #else
 #  ifndef OPENSSL_NO_ENGINE
 #    if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WIN16) || \
     defined(OPENSSL_SYS_WIN32)
 #      ifdef _O_BINARY
@@ -195,6 +206,32 @@ extern BIO *bio_err;
 			EVP_cleanup(); ENGINE_cleanup(); \
 			CRYPTO_cleanup_all_ex_data(); ERR_remove_state(0); \
 			ERR_free_strings(); } while(0)
 #  else
 #    if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WIN16) || \
     defined(OPENSSL_SYS_WIN32)
 #      ifdef _O_BINARY
 #        define apps_startup() \
 			do { _fmode=_O_BINARY; do_pipe_sig(); CRYPTO_malloc_init(); \
 			ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \
 			setup_ui_method(); } while(0)
 #      else
 #        define apps_startup() \
 			do { _fmode=O_BINARY; do_pipe_sig(); CRYPTO_malloc_init(); \
 			ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \
 			setup_ui_method(); } while(0)
 #      endif
 #    else
 #      define apps_startup() \
 			do { do_pipe_sig(); OpenSSL_add_all_algorithms(); \
 			ERR_load_crypto_strings(); \
 			setup_ui_method(); } while(0)
 #    endif
 #    define apps_shutdown() \
 			do { CONF_modules_unload(1); destroy_ui_method(); \
 			EVP_cleanup(); \
 			CRYPTO_cleanup_all_ex_data(); ERR_remove_state(0); \
 			ERR_free_strings(); } while(0)
 #  endif
 #endif
 typedef struct args_st
@@ -233,16 +270,19 @@ int app_passwd(BIO *err, char *arg1, char *arg2, char **pass1, char **pass2);
 int add_oid_section(BIO *err, CONF *conf);
 X509 *load_cert(BIO *err, const char *file, int format,
 	const char *pass, ENGINE *e, const char *cert_descrip);
-EVP_PKEY *load_key(BIO *err, const char *file, int format,
+EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
 	const char *pass, ENGINE *e, const char *key_descrip);
-EVP_PKEY *load_pubkey(BIO *err, const char *file, int format,
+EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin,
 	const char *pass, ENGINE *e, const char *key_descrip);
 STACK_OF(X509) *load_certs(BIO *err, const char *file, int format,
 	const char *pass, ENGINE *e, const char *cert_descrip);
 X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath);
 #ifndef OPENSSL_NO_ENGINE
 ENGINE *setup_engine(BIO *err, const char *engine, int debug);
 #endif
 int load_config(BIO *err, CONF *cnf);
 char *make_config_name(void);
 /* Functions defined in ca.c and also used in ocsp.c */
 int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold,
--- a/apps/asn1pars.c
+++ b/apps/asn1pars.c
@@ -332,6 +332,6 @@ end:
 	if (osk != NULL) sk_free(osk);
 	OBJ_cleanup();
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -64,7 +64,6 @@
 #include <ctype.h>
 #include <sys/types.h>
 #include <sys/stat.h>
 #include "apps.h"
 #include <openssl/conf.h>
 #include <openssl/bio.h>
 #include <openssl/err.h>
@@ -94,11 +93,13 @@
 #    else
 #      include <unixlib.h>
 #    endif
-#  elif !defined(OPENSSL_SYS_VXWORKS)
+#  elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS)
 #    include <sys/file.h>
 #  endif
 #endif
 #include "apps.h"
 #ifndef W_OK
 #  define F_OK 0
 #  define X_OK 1
@@ -195,7 +196,9 @@ static char *ca_usage[]={
 " -extensions ..  - Extension section (override value in config file)\n",
 " -extfile file   - Configuration file with X509v3 extentions to add\n",
 " -crlexts ..     - CRL extension section (override value in config file)\n",
 #ifndef OPENSSL_NO_ENGINE
 " -engine e       - use engine e, possibly a hardware device.\n",
 #endif
 " -status serial  - Shows certificate status given the serial number\n",
 " -updatedb       - Updates db for expired certificates\n",
 NULL
@@ -332,7 +335,10 @@ int MAIN(int argc, char **argv)
 #define BSIZE 256
 	MS_STATIC char buf[3][BSIZE];
 	char *randfile=NULL;
 #ifndef OPENSSL_NO_ENGINE
 	char *engine = NULL;
 #endif
 	char *tofree=NULL;
 #ifdef EFENCE
 EF_PROTECT_FREE=1;
@@ -535,11 +541,13 @@ EF_ALIGNMENT=0;
 			rev_arg = *(++argv);
 			rev_type = REV_CA_COMPROMISE;
 			}
 #ifndef OPENSSL_NO_ENGINE
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 #endif
 		else
 			{
 bad:
@@ -560,25 +568,28 @@ bad:
 	ERR_load_crypto_strings();
 #ifndef OPENSSL_NO_ENGINE
 	e = setup_engine(bio_err, engine, 0);
 #endif
 	/*****************************************************************/
 	tofree=NULL;
 	if (configfile == NULL) configfile = getenv("OPENSSL_CONF");
 	if (configfile == NULL) configfile = getenv("SSLEAY_CONF");
 	if (configfile == NULL)
 		{
-		/* We will just use 'buf[0]' as a temporary buffer.  */
+		const char *s=X509_get_default_cert_area();
 #ifdef OPENSSL_SYS_VMS
-		strncpy(buf[0],X509_get_default_cert_area(),
+		tofree=OPENSSL_malloc(strlen(s)+sizeof(CONFIG_FILE));
-			sizeof(buf[0])-1-sizeof(CONFIG_FILE));
+		strcpy(tofree,s);
 #else
-		strncpy(buf[0],X509_get_default_cert_area(),
+		tofree=OPENSSL_malloc(strlen(s)+sizeof(CONFIG_FILE)+1);
-			sizeof(buf[0])-2-sizeof(CONFIG_FILE));
+		strcpy(tofree,s);
-		buf[0][sizeof(buf[0])-2-sizeof(CONFIG_FILE)]='\0';
+		strcat(tofree,"/");
 		strcat(buf[0],"/");
 #endif
-		strcat(buf[0],CONFIG_FILE);
+		strcat(tofree,CONFIG_FILE);
-		configfile=buf[0];
+		configfile=tofree;
 		}
 	BIO_printf(bio_err,"Using configuration from %s\n",configfile);
@@ -593,6 +604,11 @@ bad:
 				,errorline,configfile);
 		goto err;
 		}
 	if(tofree)
 		{
 		OPENSSL_free(tofree);
 		tofree = NULL;
 		}
 	if (!load_config(bio_err, conf))
 		goto err;
@@ -699,9 +715,9 @@ bad:
 			goto err;
 			}
 		}
-	pkey = load_key(bio_err, keyfile, keyform, key, e, 
+	pkey = load_key(bio_err, keyfile, keyform, 0, key, e, 
 		"CA private key");
-	if (key) memset(key,0,strlen(key));
+	if (key) OPENSSL_cleanse(key,strlen(key));
 	if (pkey == NULL)
 		{
 		/* load_key() has already printed an appropriate message */
@@ -1016,7 +1032,7 @@ bad:
 			}
 		if (verbose)
-			BIO_printf(bio_err, "Succesfully loaded extensions file %s\n", extfile);
+			BIO_printf(bio_err, "Successfully loaded extensions file %s\n", extfile);
 		/* We can have sections in the ext file */
 		if (!extensions && !(extensions = NCONF_get_string(extconf, "default", "extensions")))
@@ -1157,11 +1173,16 @@ bad:
 			goto err;
 			}
 		if (verbose)
 			{
 			if (BN_is_zero(serial))
 				BIO_printf(bio_err,"next serial number is 00\n");
 			else
 				{
 				if ((f=BN_bn2hex(serial)) == NULL) goto err;
 				BIO_printf(bio_err,"next serial number is %s\n",f);
 				OPENSSL_free(f);
 				}
 			}
 		if ((attribs=NCONF_get_section(conf,policy)) == NULL)
 			{
@@ -1280,8 +1301,13 @@ bad:
 			BIO_printf(bio_err,"Write out database with %d new entries\n",sk_X509_num(cert_sk));
-			strncpy(buf[0],serialfile,BSIZE-4);
+			if(strlen(serialfile) > BSIZE-5 || strlen(dbfile) > BSIZE-5)
-			buf[0][BSIZE-4]='\0';
+				{
 				BIO_printf(bio_err,"file name too long\n");
 				goto err;
 				}
 			strcpy(buf[0],serialfile);
 #ifdef OPENSSL_SYS_VMS
 			strcat(buf[0],"-new");
@@ -1291,8 +1317,7 @@ bad:
 			if (!save_serial(buf[0],serial)) goto err;
-			strncpy(buf[1],dbfile,BSIZE-4);
+			strcpy(buf[1],dbfile);
 			buf[1][BSIZE-4]='\0';
 #ifdef OPENSSL_SYS_VMS
 			strcat(buf[1],"-new");
@@ -1322,8 +1347,13 @@ bad:
 			j=x->cert_info->serialNumber->length;
 			p=(char *)x->cert_info->serialNumber->data;
-			strncpy(buf[2],outdir,BSIZE-(j*2)-6);
+			if(strlen(outdir) >= (size_t)(j ? BSIZE-j*2-6 : BSIZE-8))
-			buf[2][BSIZE-(j*2)-6]='\0';
+				{
 				BIO_printf(bio_err,"certificate file name too long\n");
 				goto err;
 				}
 			strcpy(buf[2],outdir);
 #ifndef OPENSSL_SYS_VMS
 			strcat(buf[2],"/");
@@ -1513,11 +1543,6 @@ bad:
 			if (pkey->type == EVP_PKEY_DSA) 
 				dgst=EVP_dss1();
 			else
 #endif
 #ifndef OPENSSL_NO_ECDSA
 			if (pkey->type == EVP_PKEY_ECDSA)
 				dgst=EVP_ecdsa();
 			else
 #endif
 				dgst=EVP_md5();
 			}
@@ -1562,8 +1587,13 @@ bad:
 			if (j <= 0) goto err;
 			X509_free(revcert);
-			strncpy(buf[0],dbfile,BSIZE-4);
+			if(strlen(dbfile) > BSIZE-5)
-			buf[0][BSIZE-4]='\0';
+				{
 				BIO_printf(bio_err,"filename too long\n");
 				goto err;
 				}
 			strcpy(buf[0],dbfile);
 #ifndef OPENSSL_SYS_VMS
 			strcat(buf[0],".new");
 #else
@@ -1577,6 +1607,10 @@ bad:
 				}
 			j=TXT_DB_write(out,db);
 			if (j <= 0) goto err;
 			BIO_free_all(out);
 			out = NULL;
 			BIO_free_all(in);
 			in = NULL;
 			strncpy(buf[1],dbfile,BSIZE-4);
 			buf[1][BSIZE-4]='\0';
 #ifndef OPENSSL_SYS_VMS
@@ -1584,10 +1618,6 @@ bad:
 #else
 			strcat(buf[1],"-old");
 #endif
 			BIO_free(in);
 			in = NULL;
 			BIO_free(out);
 			out = NULL;
 			if (rename(dbfile,buf[1]) < 0)
 				{
 				BIO_printf(bio_err,"unable to rename %s to %s\n", dbfile, buf[1]);
@@ -1607,16 +1637,19 @@ bad:
 	/*****************************************************************/
 	ret=0;
 err:
 	if(tofree)
 		OPENSSL_free(tofree);
 	BIO_free_all(Cout);
 	BIO_free_all(Sout);
 	BIO_free_all(out);
 	BIO_free_all(in);
 	if (cert_sk)
 		sk_X509_pop_free(cert_sk,X509_free);
 	if (ret) ERR_print_errors(bio_err);
 	app_RAND_write_file(randfile, bio_err);
-	if (free_key)
+	if (free_key && key)
 		OPENSSL_free(key);
 	BN_free(serial);
 	TXT_DB_free(db);
@@ -1626,7 +1659,7 @@ err:
 	NCONF_free(conf);
 	OBJ_cleanup();
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 static void lookup_fail(char *name, char *tag)
@@ -1691,7 +1724,7 @@ static BIGNUM *load_serial(char *serialfile)
 	ret=ASN1_INTEGER_to_BN(ai,NULL);
 	if (ret == NULL)
 		{
-		BIO_printf(bio_err,"error converting number from bin to BIGNUM");
+		BIO_printf(bio_err,"error converting number from bin to BIGNUM\n");
 		goto err;
 		}
 err:
@@ -2094,9 +2127,11 @@ again2:
 			}
 		}
-	row[DB_name]=X509_NAME_oneline(dn_subject,NULL,0);
+	if (BN_is_zero(serial))
 		row[DB_serial]=BUF_strdup("00");
 	else
 		row[DB_serial]=BN_bn2hex(serial);
-	if ((row[DB_name] == NULL) || (row[DB_serial] == NULL))
+	if (row[DB_serial] == NULL)
 		{
 		BIO_printf(bio_err,"Memory allocation failure\n");
 		goto err;
@@ -2293,16 +2328,6 @@ again2:
 		EVP_PKEY_copy_parameters(pktmp,pkey);
 	EVP_PKEY_free(pktmp);
 #endif
 #ifndef OPENSSL_NO_ECDSA
 	if (pkey->type == EVP_PKEY_ECDSA)
 		dgst = EVP_ecdsa();
 	pktmp = X509_get_pubkey(ret);
 	if (EVP_PKEY_missing_parameters(pktmp) &&
 		!EVP_PKEY_missing_parameters(pkey))
 		EVP_PKEY_copy_parameters(pktmp, pkey);
 	EVP_PKEY_free(pktmp);
 #endif
 	if (!X509_sign(ret,pkey,dgst))
 		goto err;
@@ -2319,10 +2344,10 @@ again2:
 	/* row[DB_serial] done already */
 	row[DB_file]=(char *)OPENSSL_malloc(8);
-	/* row[DB_name] done already */
+	row[DB_name]=X509_NAME_oneline(X509_get_subject_name(ret),NULL,0);
 	if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
-		(row[DB_file] == NULL))
+		(row[DB_file] == NULL) || (row[DB_name] == NULL))
 		{
 		BIO_printf(bio_err,"Memory allocation failure\n");
 		goto err;
@@ -2589,6 +2614,9 @@ static int do_revoke(X509 *x509, TXT_DB *db, int type, char *value)
 		row[i]=NULL;
 	row[DB_name]=X509_NAME_oneline(X509_get_subject_name(x509),NULL,0);
 	bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(x509),NULL);
 	if (BN_is_zero(bn))
 		row[DB_serial]=BUF_strdup("00");
 	else
 		row[DB_serial]=BN_bn2hex(bn);
 	BN_free(bn);
 	if ((row[DB_name] == NULL) || (row[DB_serial] == NULL))
@@ -3064,6 +3092,7 @@ X509_NAME *do_subject(char *subject, long chtype)
 		while (*sp)
 			{
 			if (*sp == '\\') /* is there anything to escape in the type...? */
 				{
 				if (*++sp)
 					*bp++ = *sp++;
 				else
@@ -3071,6 +3100,7 @@ X509_NAME *do_subject(char *subject, long chtype)
 					BIO_printf(bio_err, "escape character at end of string\n");
 					goto error;
 					}
 				}
 			else if (*sp == '=')
 				{
 				sp++;
@@ -3089,6 +3119,7 @@ X509_NAME *do_subject(char *subject, long chtype)
 		while (*sp)
 			{
 			if (*sp == '\\')
 				{
 				if (*++sp)
 					*bp++ = *sp++;
 				else
@@ -3096,6 +3127,7 @@ X509_NAME *do_subject(char *subject, long chtype)
 					BIO_printf(bio_err, "escape character at end of string\n");
 					goto error;
 					}
 				}
 			else if (*sp == '/')
 				{
 				sp++;
--- a/apps/ciphers.c
+++ b/apps/ciphers.c
@@ -187,7 +187,7 @@ int MAIN(int argc, char **argv)
 			{
 			BIO_puts(STDout,SSL_CIPHER_description(
 				sk_SSL_CIPHER_value(sk,i),
-				buf,512));
+				buf,sizeof buf));
 			}
 		}
@@ -203,6 +203,6 @@ end:
 	if (ssl != NULL) SSL_free(ssl);
 	if (STDout != NULL) BIO_free_all(STDout);
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
--- a/apps/crl.c
+++ b/apps/crl.c
@@ -377,7 +377,7 @@ end:
 		X509_STORE_free(store);
 	}
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 static X509_CRL *load_crl(char *infile, int format)
--- a/apps/crl2p7.c
+++ b/apps/crl2p7.c
@@ -280,7 +280,7 @@ end:
 	if (crl != NULL) X509_CRL_free(crl);
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 /*
--- a/apps/dgst.c
+++ b/apps/dgst.c
@@ -100,7 +100,9 @@ int MAIN(int argc, char **argv)
 	EVP_PKEY *sigkey = NULL;
 	unsigned char *sigbuf = NULL;
 	int siglen = 0;
 #ifndef OPENSSL_NO_ENGINE
 	char *engine=NULL;
 #endif
 	apps_startup();
@@ -117,7 +119,7 @@ int MAIN(int argc, char **argv)
 		goto end;
 	/* first check the program name */
-	program_name(argv[0],pname,PROG_NAME_SIZE);
+	program_name(argv[0],pname,sizeof pname);
 	md=EVP_get_digestbyname(pname);
@@ -166,11 +168,13 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) break;
 			keyform=str2fmt(*(++argv));
 			}
 #ifndef OPENSSL_NO_ENGINE
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) break;
 			engine= *(++argv);
 			}
 #endif
 		else if (strcmp(*argv,"-hex") == 0)
 			out_bin = 0;
 		else if (strcmp(*argv,"-binary") == 0)
@@ -208,7 +212,9 @@ int MAIN(int argc, char **argv)
 		BIO_printf(bio_err,"-keyform arg    key file format (PEM or ENGINE)\n");
 		BIO_printf(bio_err,"-signature file signature to verify\n");
 		BIO_printf(bio_err,"-binary         output in binary form\n");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err,"-engine e       use engine e, possibly a hardware device.\n");
 #endif
 		BIO_printf(bio_err,"-%3s to use the %s message digest algorithm (default)\n",
 			LN_md5,LN_md5);
@@ -228,7 +234,9 @@ int MAIN(int argc, char **argv)
 		goto end;
 		}
 #ifndef OPENSSL_NO_ENGINE
        e = setup_engine(bio_err, engine, 0);
 #endif
 	in=BIO_new(BIO_s_file());
 	bmd=BIO_new(BIO_f_md());
@@ -277,10 +285,10 @@ int MAIN(int argc, char **argv)
 	if(keyfile)
 		{
 		if (want_pub)
-			sigkey = load_pubkey(bio_err, keyfile, keyform, NULL,
+			sigkey = load_pubkey(bio_err, keyfile, keyform, 0, NULL,
 				e, "key file");
 		else
-			sigkey = load_key(bio_err, keyfile, keyform, NULL,
+			sigkey = load_key(bio_err, keyfile, keyform, 0, NULL,
 				e, "key file");
 		if (!sigkey)
 			{
@@ -356,7 +364,7 @@ int MAIN(int argc, char **argv)
 end:
 	if (buf != NULL)
 		{
-		memset(buf,0,BUFSIZE);
+		OPENSSL_cleanse(buf,BUFSIZE);
 		OPENSSL_free(buf);
 		}
 	if (in != NULL) BIO_free(in);
@@ -365,7 +373,7 @@ end:
 	if(sigbuf) OPENSSL_free(sigbuf);
 	if (bmd != NULL) BIO_free(bmd);
 	apps_shutdown();
-	EXIT(err);
+	OPENSSL_EXIT(err);
 	}
 int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
--- a/apps/dh.c
+++ b/apps/dh.c
@@ -87,12 +87,17 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 #ifndef OPENSSL_NO_ENGINE
 	ENGINE *e = NULL;
 #endif
 	DH *dh=NULL;
 	int i,badops=0,text=0;
 	BIO *in=NULL,*out=NULL;
 	int informat,outformat,check=0,noout=0,C=0,ret=1;
-	char *infile,*outfile,*prog,*engine;
+	char *infile,*outfile,*prog;
 #ifndef OPENSSL_NO_ENGINE
 	char *engine;
 #endif
 	apps_startup();
@@ -103,7 +108,9 @@ int MAIN(int argc, char **argv)
 	if (!load_config(bio_err, NULL))
 		goto end;
 #ifndef OPENSSL_NO_ENGINE
 	engine=NULL;
 #endif
 	infile=NULL;
 	outfile=NULL;
 	informat=FORMAT_PEM;
@@ -134,11 +141,13 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			outfile= *(++argv);
 			}
 #ifndef OPENSSL_NO_ENGINE
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 #endif
 		else if (strcmp(*argv,"-check") == 0)
 			check=1;
 		else if (strcmp(*argv,"-text") == 0)
@@ -170,13 +179,17 @@ bad:
 		BIO_printf(bio_err," -text         print a text form of the DH parameters\n");
 		BIO_printf(bio_err," -C            Output C code\n");
 		BIO_printf(bio_err," -noout        no output\n");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err," -engine e     use engine e, possibly a hardware device.\n");
 #endif
 		goto end;
 		}
 	ERR_load_crypto_strings();
 #ifndef OPENSSL_NO_ENGINE
        e = setup_engine(bio_err, engine, 0);
 #endif
 	in=BIO_new(BIO_s_file());
 	out=BIO_new(BIO_s_file());
@@ -333,6 +346,6 @@ end:
 	if (out != NULL) BIO_free_all(out);
 	if (dh != NULL) DH_free(dh);
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 #endif
--- a/apps/dhparam.c
+++ b/apps/dhparam.c
@@ -148,7 +148,9 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 #ifndef OPENSSL_NO_ENGINE
 	ENGINE *e = NULL;
 #endif
 	DH *dh=NULL;
 	int i,badops=0,text=0;
 #ifndef OPENSSL_NO_DSA
@@ -157,7 +159,10 @@ int MAIN(int argc, char **argv)
 	BIO *in=NULL,*out=NULL;
 	int informat,outformat,check=0,noout=0,C=0,ret=1;
 	char *infile,*outfile,*prog;
-	char *inrand=NULL,*engine=NULL;
+	char *inrand=NULL;
 #ifndef OPENSSL_NO_ENGINE
 	char *engine=NULL;
 #endif
 	int num = 0, g = 0;
 	apps_startup();
@@ -199,11 +204,13 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			outfile= *(++argv);
 			}
 #ifndef OPENSSL_NO_ENGINE
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 #endif
 		else if (strcmp(*argv,"-check") == 0)
 			check=1;
 		else if (strcmp(*argv,"-text") == 0)
@@ -249,7 +256,9 @@ bad:
 		BIO_printf(bio_err," -2            generate parameters using  2 as the generator value\n");
 		BIO_printf(bio_err," -5            generate parameters using  5 as the generator value\n");
 		BIO_printf(bio_err," numbits       number of bits in to generate (default 512)\n");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err," -engine e     use engine e, possibly a hardware device.\n");
 #endif
 		BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 		BIO_printf(bio_err,"               - load the file (or the files in the directory) into\n");
 		BIO_printf(bio_err,"               the random number generator\n");
@@ -259,7 +268,9 @@ bad:
 	ERR_load_crypto_strings();
 #ifndef OPENSSL_NO_ENGINE
        e = setup_engine(bio_err, engine, 0);
 #endif
 	if (g && !num)
 		num = DEFBITS;
@@ -519,7 +530,7 @@ end:
 	if (out != NULL) BIO_free_all(out);
 	if (dh != NULL) DH_free(dh);
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 /* dh_cb is identical to dsa_cb in apps/dsaparam.c */
--- a/apps/dsa.c
+++ b/apps/dsa.c
@@ -90,7 +90,9 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 #ifndef OPENSSL_NO_ENGINE
 	ENGINE *e = NULL;
 #endif
 	int ret=1;
 	DSA *dsa=NULL;
 	int i,badops=0;
@@ -98,7 +100,10 @@ int MAIN(int argc, char **argv)
 	BIO *in=NULL,*out=NULL;
 	int informat,outformat,text=0,noout=0;
 	int pubin = 0, pubout = 0;
-	char *infile,*outfile,*prog,*engine;
+	char *infile,*outfile,*prog;
 #ifndef OPENSSL_NO_ENGINE
 	char *engine;
 #endif
 	char *passargin = NULL, *passargout = NULL;
 	char *passin = NULL, *passout = NULL;
 	int modulus=0;
@@ -112,7 +117,9 @@ int MAIN(int argc, char **argv)
 	if (!load_config(bio_err, NULL))
 		goto end;
 #ifndef OPENSSL_NO_ENGINE
 	engine=NULL;
 #endif
 	infile=NULL;
 	outfile=NULL;
 	informat=FORMAT_PEM;
@@ -153,11 +160,13 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			passargout= *(++argv);
 			}
 #ifndef OPENSSL_NO_ENGINE
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 #endif
 		else if (strcmp(*argv,"-noout") == 0)
 			noout=1;
 		else if (strcmp(*argv,"-text") == 0)
@@ -189,7 +198,9 @@ bad:
 		BIO_printf(bio_err," -passin arg     input file pass phrase source\n");
 		BIO_printf(bio_err," -out arg        output file\n");
 		BIO_printf(bio_err," -passout arg    output file pass phrase source\n");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err," -engine e       use engine e, possibly a hardware device.\n");
 #endif
 		BIO_printf(bio_err," -des            encrypt PEM output with cbc des\n");
 		BIO_printf(bio_err," -des3           encrypt PEM output with ede cbc des using 168 bit key\n");
 #ifndef OPENSSL_NO_IDEA
@@ -207,7 +218,9 @@ bad:
 	ERR_load_crypto_strings();
 #ifndef OPENSSL_NO_ENGINE
        e = setup_engine(bio_err, engine, 0);
 #endif
 	if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
 		BIO_printf(bio_err, "Error getting passwords\n");
@@ -314,6 +327,6 @@ end:
 	if(passin) OPENSSL_free(passin);
 	if(passout) OPENSSL_free(passout);
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 #endif
--- a/apps/dsaparam.c
+++ b/apps/dsaparam.c
@@ -90,7 +90,9 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 #ifndef OPENSSL_NO_ENGINE
 	ENGINE *e = NULL;
 #endif
 	DSA *dsa=NULL;
 	int i,badops=0,text=0;
 	BIO *in=NULL,*out=NULL;
@@ -98,7 +100,9 @@ int MAIN(int argc, char **argv)
 	char *infile,*outfile,*prog,*inrand=NULL;
 	int numbits= -1,num,genkey=0;
 	int need_rand=0;
 #ifndef OPENSSL_NO_ENGINE
 	char *engine=NULL;
 #endif
 	apps_startup();
@@ -139,11 +143,13 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			outfile= *(++argv);
 			}
 #ifndef OPENSSL_NO_ENGINE
 		else if(strcmp(*argv, "-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine = *(++argv);
 			}
 #endif
 		else if (strcmp(*argv,"-text") == 0)
 			text=1;
 		else if (strcmp(*argv,"-C") == 0)
@@ -191,7 +197,9 @@ bad:
 		BIO_printf(bio_err," -noout        no output\n");
 		BIO_printf(bio_err," -genkey       generate a DSA key\n");
 		BIO_printf(bio_err," -rand         files to use for random number input\n");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err," -engine e     use engine e, possibly a hardware device.\n");
 #endif
 		BIO_printf(bio_err," number        number of bits to use for generating private key\n");
 		goto end;
 		}
@@ -235,7 +243,9 @@ bad:
 			}
 		}
 #ifndef OPENSSL_NO_ENGINE
        e = setup_engine(bio_err, engine, 0);
 #endif
 	if (need_rand)
 		{
@@ -372,7 +382,7 @@ end:
 	if (out != NULL) BIO_free_all(out);
 	if (dsa != NULL) DSA_free(dsa);
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 static void MS_CALLBACK dsa_cb(int p, int n, void *arg)
--- a/apps/ecdsa.c
+++ b/apps/ecdsa.c
@@ -1,445 +0,0 @@
 /* apps/ecdsa.c */
 /* ====================================================================
 * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    openssl-core@openssl.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 * 
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
 * 
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
 * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *    "This product includes cryptographic software written by
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
 * 4. If you include any Windows specific code (or a derivative thereof) from 
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
 * 
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 * 
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */
 #ifndef OPENSSL_NO_ECDSA
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <time.h>
 #include "apps.h"
 #include <openssl/bio.h>
 #include <openssl/err.h>
 #include <openssl/ecdsa.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #undef PROG
 #define PROG	ecdsa_main
 /* -inform arg	- input format - default PEM (one of DER, NET or PEM)
 * -outform arg - output format - default PEM
 * -in arg	- input file - default stdin
 * -out arg	- output file - default stdout
 * -des		- encrypt output if PEM format with DES in cbc mode
 * -des3	- encrypt output if PEM format
 * -idea	- encrypt output if PEM format
 * -aes128	- encrypt output if PEM format
 * -aes192	- encrypt output if PEM format
 * -aes256	- encrypt output if PEM format
 * -text	- print a text version
 * -pub		- print the ECDSA public key
 * -compressed  - print the public key in compressed form ( default )   
 * -hybrid 	- print the public key in hybrid form
 * -uncompressed - print the public key in uncompressed form
 *		  the last three options ( compressed, hybrid and uncompressed )
 *		  are only used if the "-pub" option is also selected.
 *	  	  For a precise description of the the meaning of compressed,
 *		  hybrid and uncompressed please refer to the X9.62 standart.
 *		  All three forms represents ways to express the ecdsa public
 *		  key ( a point on a elliptic curve ) as octet string. Let len be
 *		  the length ( in bytes ) of an element of the field over which
 *		  the curve is defined, then a compressed octet string has the form
 *		  0x02 + result of BN_bn2bin() of the x coordinate of the public key
 */
 int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 {
 	ENGINE 	*e = NULL;
 	int 	ret = 1;
 	ECDSA 	*ecdsa = NULL;
 	int 	i, badops = 0;
 	const EVP_CIPHER *enc = NULL;
 	BIO 	*in = NULL, *out = NULL;
 	int 	informat, outformat, text=0, noout=0;
 	int  	pubin = 0, pubout = 0;
 	char 	*infile, *outfile, *prog, *engine;
 	char 	*passargin = NULL, *passargout = NULL;
 	char 	*passin = NULL, *passout = NULL;
 	int 	pub = 0, point_form = 0;
 	unsigned char *buffer = NULL;
 	unsigned int  buf_len = 0;
 	BIGNUM	*tmp_bn = NULL;
 	apps_startup();
 	if (bio_err == NULL)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err, stderr, BIO_NOCLOSE|BIO_FP_TEXT);
 	if (!load_config(bio_err, NULL))
 		goto end;
 	engine = NULL;
 	infile = NULL;
 	outfile = NULL;
 	informat = FORMAT_PEM;
 	outformat = FORMAT_PEM;
 	prog = argv[0];
 	argc--;
 	argv++;
 	while (argc >= 1)
 	{
 		if (strcmp(*argv,"-inform") == 0)
 		{
 			if (--argc < 1) goto bad;
 			informat=str2fmt(*(++argv));
 		}
 		else if (strcmp(*argv,"-outform") == 0)
 		{
 			if (--argc < 1) goto bad;
 			outformat=str2fmt(*(++argv));
 		}
 		else if (strcmp(*argv,"-in") == 0)
 		{
 			if (--argc < 1) goto bad;
 			infile= *(++argv);
 		}
 		else if (strcmp(*argv,"-out") == 0)
 		{
 			if (--argc < 1) goto bad;
 			outfile= *(++argv);
 		}
 		else if (strcmp(*argv,"-passin") == 0)
 		{
 			if (--argc < 1) goto bad;
 			passargin= *(++argv);
 		}
 		else if (strcmp(*argv,"-passout") == 0)
 		{
 			if (--argc < 1) goto bad;
 			passargout= *(++argv);
 		}
 		else if (strcmp(*argv, "-engine") == 0)
 		{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 		}
 		else if (strcmp(*argv, "-noout") == 0)
 			noout = 1;
 		else if (strcmp(*argv, "-text") == 0)
 			text = 1;
 		else if (strcmp(*argv, "-pub") == 0)
 		{
 			pub = 1;
 			buffer = (unsigned char *)(*(argv+1));
 			if (strcmp((char *)buffer, "compressed") == 0)
 				point_form = POINT_CONVERSION_COMPRESSED;
 			else if (strcmp((char *)buffer, "hybrid") == 0)
 				point_form = POINT_CONVERSION_HYBRID;
 			else if (strcmp((char *)buffer, "uncompressed") == 0)
 				point_form = POINT_CONVERSION_UNCOMPRESSED;
 			if (point_form)
 			{
 				argc--;
 				argv++;
 			}
 		}
 		else if (strcmp(*argv, "-pubin") == 0)
 			pubin=1;
 		else if (strcmp(*argv, "-pubout") == 0)
 			pubout=1;
 		else if ((enc=EVP_get_cipherbyname(&(argv[0][1]))) == NULL)
 		{
 			BIO_printf(bio_err,"unknown option %s\n",*argv);
 			badops=1;
 			break;
 		}
 		argc--;
 		argv++;
 	}
 	if (badops)
 	{
 bad:
 		BIO_printf(bio_err, "%s [options] <infile >outfile\n",prog);
 		BIO_printf(bio_err, "where options are\n");
 		BIO_printf(bio_err, " -inform arg     input format - DER or PEM\n");
 		BIO_printf(bio_err, " -outform arg    output format - DER or PEM\n");
 		BIO_printf(bio_err, " -in arg         input file\n");
 		BIO_printf(bio_err, " -passin arg     input file pass phrase source\n");
 		BIO_printf(bio_err, " -out arg        output file\n");
 		BIO_printf(bio_err, " -passout arg    output file pass phrase source\n");
 		BIO_printf(bio_err, " -engine e       use engine e, possibly a hardware device.\n");
 		BIO_printf(bio_err, " -des            encrypt PEM output with cbc des\n");
 		BIO_printf(bio_err, " -des3           encrypt PEM output with ede cbc des using 168 bit key\n");
 #ifndef OPENSSL_NO_IDEA
 		BIO_printf(bio_err, " -idea           encrypt PEM output with cbc idea\n");
 #endif
 #ifndef OPENSSL_NO_AES
 		BIO_printf(bio_err, " -aes128, -aes192, -aes256\n");
 		BIO_printf(bio_err, "                 encrypt PEM output with cbc aes\n");
 #endif
 		BIO_printf(bio_err, " -text           print the key in text\n");
 		BIO_printf(bio_err, " -noout          don't print key out\n");
 		BIO_printf(bio_err, " -pub [compressed | hybrid | uncompressed] \n");
 		BIO_printf(bio_err, "         compressed     print the public key in compressed form ( default )\n");   
 		BIO_printf(bio_err, "         hybrid         print the public key in hybrid form\n");
 		BIO_printf(bio_err, "         uncompressed   print the public key in uncompressed form\n");
 		goto end;
 	}
 	ERR_load_crypto_strings();
        e = setup_engine(bio_err, engine, 0);
 	if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) 
 	{
 		BIO_printf(bio_err, "Error getting passwords\n");
 		goto end;
 	}
 	in = BIO_new(BIO_s_file());
 	out = BIO_new(BIO_s_file());
 	if ((in == NULL) || (out == NULL))
 	{
 		ERR_print_errors(bio_err);
 		goto end;
 	}
 	if (infile == NULL)
 		BIO_set_fp(in,stdin,BIO_NOCLOSE);
 	else
 	{
 		if (BIO_read_filename(in,infile) <= 0)
 		{
 			perror(infile);
 			goto end;
 		}
 	}
 	BIO_printf(bio_err,"read ECDSA key\n");
 	if (informat == FORMAT_ASN1) 
 	{
 		if (pubin) 
 			ecdsa = d2i_ECDSA_PUBKEY_bio(in, NULL);
 		else 
 			ecdsa = d2i_ECDSAPrivateKey_bio(in, NULL);
 	} else if (informat == FORMAT_PEM) 
 	{
 		if (pubin) 
 			ecdsa = PEM_read_bio_ECDSA_PUBKEY(in, NULL, NULL, NULL);
 		else 
 			ecdsa = PEM_read_bio_ECDSAPrivateKey(in, NULL, NULL, passin);
 	} else
 	{
 		BIO_printf(bio_err, "bad input format specified for key\n");
 		goto end;
 	}
 	if (ecdsa == NULL)
 	{
 		BIO_printf(bio_err,"unable to load Key\n");
 		ERR_print_errors(bio_err);
 		goto end;
 	}
 	if (outfile == NULL)
 	{
 		BIO_set_fp(out, stdout, BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
 		{
 			BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 			out = BIO_push(tmpbio, out);
 		}
 #endif
 	}
 	else
 	{
 		if (BIO_write_filename(out, outfile) <= 0)
 		{
 			perror(outfile);
 			goto end;
 		}
 	}
 	if (text) 
 		if (!ECDSA_print(out, ecdsa, 0))
 		{
 			perror(outfile);
 			ERR_print_errors(bio_err);
 			goto end;
 		}
 	if (pub)
 	{
 		fprintf(stdout, "Public Key (");
 		if (point_form == POINT_CONVERSION_COMPRESSED)
 			fprintf(stdout, "COMPRESSED");
 		else if (point_form == POINT_CONVERSION_UNCOMPRESSED)
 			fprintf(stdout, "UNCOMPRESSED");
 		else if (point_form == POINT_CONVERSION_HYBRID)
 			fprintf(stdout, "HYBRID");
 		fprintf(stdout, ")=");
 		buf_len = EC_POINT_point2oct(ecdsa->group, EC_GROUP_get0_generator(ecdsa->group),
 					     point_form, NULL, 0, NULL);
 		if (!buf_len)
 		{
 			BIO_printf(bio_err,"invalid public key length\n");
 			ERR_print_errors(bio_err);
 			goto end;
 		}
 		if ((tmp_bn = BN_new()) == NULL ||
 		    (buffer = OPENSSL_malloc(buf_len)) == NULL) goto end;
 		if (!EC_POINT_point2oct(ecdsa->group, EC_GROUP_get0_generator(ecdsa->group),
 					     point_form, buffer, buf_len, NULL) ||
 		    !BN_bin2bn(buffer, buf_len, tmp_bn))
 		{
 			BIO_printf(bio_err,"can not encode public key\n");
 			ERR_print_errors(bio_err);
 			OPENSSL_free(buffer);
 			goto end;
 		}
 		BN_print(out, tmp_bn);
 		fprintf(stdout,"\n");
 	}
 	if (noout) 
 		goto end;
 	BIO_printf(bio_err, "writing ECDSA key\n");
 	if (outformat == FORMAT_ASN1) 
 	{
 		if(pubin || pubout) 
 			i = i2d_ECDSA_PUBKEY_bio(out, ecdsa);
 		else 
 			i = i2d_ECDSAPrivateKey_bio(out, ecdsa);
 	} else if (outformat == FORMAT_PEM) 
 	{
 		if(pubin || pubout)
 			i = PEM_write_bio_ECDSA_PUBKEY(out, ecdsa);
 		else 
 			i = PEM_write_bio_ECDSAPrivateKey(out, ecdsa, enc,
 							NULL, 0, NULL, passout);
 	} else 
 	{
 		BIO_printf(bio_err, "bad output format specified for outfile\n");
 		goto end;
 	}
 	if (!i)
 	{
 		BIO_printf(bio_err, "unable to write private key\n");
 		ERR_print_errors(bio_err);
 	}
 	else
 		ret=0;
 end:
 	if (in) 	BIO_free(in);
 	if (out)	BIO_free_all(out);
 	if (ecdsa) 	ECDSA_free(ecdsa);
 	if (tmp_bn)	BN_free(tmp_bn);
 	if (passin) 	OPENSSL_free(passin);
 	if (passout) 	OPENSSL_free(passout);
 	apps_shutdown();
 	EXIT(ret);
 }
 #endif
--- a/apps/ecparam.c
+++ b/apps/ecparam.c
@@ -1,688 +0,0 @@
 /* apps/ecparam.c */
 /* ====================================================================
 * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    openssl-core@openssl.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */
 #ifndef OPENSSL_NO_ECDSA
 #include <assert.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <time.h>
 #include <string.h>
 #include "apps.h"
 #include <openssl/bio.h>
 #include <openssl/err.h>
 #include <openssl/bn.h>
 #include <openssl/ec.h>
 #include <openssl/ecdsa.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #undef PROG
 #define PROG	ecparam_main
 /* -inform arg            - input format - default PEM (DER or PEM)
 * -outform arg           - output format - default PEM
 * -in arg                - input file  - default stdin
 * -out arg               - output file - default stdout
 * -noout
 * -text
 * -check                 - validate the ec parameters
 * -C
 * -noout
 * -name file             - use the ecparameters with 'short name' name
 * -list_curves           - prints a list of all currently available curve
 *                          'short names' and exits
 * -conv_form                  - specifies the point conversion form 
 *                          possible values : compressed
 *                                            uncompressed (default)
 *                                            hybrid
 * -param_enc             - specifies the way the ec parameters are encoded
 *                          in the asn1 der encoding
 *                          possilbe values : named_curve (default)
 *                                            explicit
 * -no_seed               - if 'explicit' parameters are choosen do not
 *                          use the seed
 * -genkey                - generates a ecdsa private key
 * -rand file
 * -engine e              - use engine e, possible a hardware device
 */
 static const char *curve_list[20] = {
 	"prime192v1       - NIST recommended curve over a 192 bit prime field",
 	"prime192v2       - 192 bit prime curve from the X9.62 draft",
 	"prime192v3       - 192 bit prime curve from the X9.62 draft",
 	"prime239v1       - 239 bit prime curve from the X9.62 draft",
 	"prime239v2       - 239 bit prime curve from the X9.62 draft",
 	"prime239v3       - 239 bit prime curve from the X9.62 draft", 
 	"prime256v1       - NIST recommended curve over a 256 bit prime field",
 	"secp112r1        - SECG recommended curve over a 112 bit prime field", 
 	"secp112r2        - SECG recommended curve over a 112 bit prime field", 
 	"secp128r1        - SECG recommended curve over a 128 bit prime field",
 	"secp128r2        - SECG recommended curve over a 128 bit prime field", 
 	"secp160k1        - SECG recommended curve over a 160 bit prime field", 
 	"secp160r1        - SECG recommended curve over a 160 bit prime field", 
 	"secp160r2        - SECG recommended curve over a 160 bit prime field", 
 	"secp192k1        - SECG recommended curve over a 192 bit prime field",
 	"secp224k1        - SECG recommended curve over a 224 bit prime field", 
 	"secp224r1        - NIST recommended curve over a 224 bit prime field", 
 	"secp256k1        - SECG recommended curve over a 256 bit prime field",
 	"secp384r1        - NIST recommended curve over a 384 bit prime field", 
 	"secp521r1        - NIST recommended curve over a 521 bit prime field"
 };
 static int ecparam_print_var(BIO *,BIGNUM *,const char *,int,unsigned char *);
 int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 	EC_GROUP *group = NULL;
 	point_conversion_form_t form = POINT_CONVERSION_UNCOMPRESSED; 
 	int 	new_form = 0;
 	int 	asn1_flag = OPENSSL_EC_NAMED_CURVE;
 	int 	new_asn1_flag = 0;
 	char 	*curve_name = NULL, *inrand = NULL;
 	int	list_curves = 0, no_seed = 0, check = 0,
 		badops = 0, text = 0, i, need_rand = 0, genkey = 0;
 	char	*infile = NULL, *outfile = NULL, *prog;
 	BIO 	*in = NULL, *out = NULL;
 	int 	informat, outformat, noout = 0, C = 0, ret = 1;
 	ENGINE	*e = NULL;
 	char	*engine = NULL;
 	BIGNUM	*ec_p = NULL, *ec_a = NULL, *ec_b = NULL,
 		*ec_gen = NULL, *ec_order = NULL, *ec_cofactor = NULL;
 	unsigned char *buffer = NULL;
 	apps_startup();
 	if (bio_err == NULL)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
 	if (!load_config(bio_err, NULL))
 		goto end;
 	informat=FORMAT_PEM;
 	outformat=FORMAT_PEM;
 	prog=argv[0];
 	argc--;
 	argv++;
 	while (argc >= 1)
 		{
 		if 	(strcmp(*argv,"-inform") == 0)
 			{
 			if (--argc < 1) goto bad;
 			informat=str2fmt(*(++argv));
 			}
 		else if (strcmp(*argv,"-outform") == 0)
 			{
 			if (--argc < 1) goto bad;
 			outformat=str2fmt(*(++argv));
 			}
 		else if (strcmp(*argv,"-in") == 0)
 			{
 			if (--argc < 1) goto bad;
 			infile= *(++argv);
 			}
 		else if (strcmp(*argv,"-out") == 0)
 			{
 			if (--argc < 1) goto bad;
 			outfile= *(++argv);
 			}
 		else if (strcmp(*argv,"-text") == 0)
 			text = 1;
 		else if (strcmp(*argv,"-C") == 0)
 			C = 1;
 		else if (strcmp(*argv,"-check") == 0)
 			check = 1;
 		else if (strcmp (*argv, "-name") == 0)
 			{
 			if (--argc < 1)
 				goto bad;
 			curve_name = *(++argv);
 			}
 		else if (strcmp(*argv, "-list_curves") == 0)
 			list_curves = 1;
 		else if (strcmp(*argv, "-conv_form") == 0)
 			{
 			if (--argc < 1)
 				goto bad;
 			++argv;
 			new_form = 1;
 			if (strcmp(*argv, "compressed") == 0)
 				form = POINT_CONVERSION_COMPRESSED;
 			else if (strcmp(*argv, "uncompressed") == 0)
 				form = POINT_CONVERSION_UNCOMPRESSED;
 			else if (strcmp(*argv, "hybrid") == 0)
 				form = POINT_CONVERSION_HYBRID;
 			else
 				goto bad;
 			}
 		else if (strcmp(*argv, "-param_enc") == 0)
 			{
 			if (--argc < 1)
 				goto bad;
 			++argv;
 			new_asn1_flag = 1;
 			if (strcmp(*argv, "named_curve") == 0)
 				asn1_flag = OPENSSL_EC_NAMED_CURVE;
 			else if (strcmp(*argv, "explicit") == 0)
 				asn1_flag = 0;
 			else
 				goto bad;
 			}
 		else if (strcmp(*argv, "-no_seed") == 0)
 			no_seed = 1;
 		else if (strcmp(*argv, "-noout") == 0)
 			noout=1;
 		else if (strcmp(*argv,"-genkey") == 0)
 			{
 			genkey=1;
 			need_rand=1;
 			}
 		else if (strcmp(*argv, "-rand") == 0)
 			{
 			if (--argc < 1) goto bad;
 			inrand= *(++argv);
 			need_rand=1;
 			}
 		else if(strcmp(*argv, "-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine = *(++argv);
 			}	
 		else
 			{
 			BIO_printf(bio_err,"unknown option %s\n",*argv);
 			badops=1;
 			break;
 			}
 		argc--;
 		argv++;
 		}
 	if (badops)
 		{
 bad:
 		BIO_printf(bio_err, "%s [options] <infile >outfile\n",prog);
 		BIO_printf(bio_err, "where options are\n");
 		BIO_printf(bio_err, " -inform arg             input format - "
 				"default PEM (DER or PEM)\n");
 		BIO_printf(bio_err, " -outform arg            output format - "
 				"default PEM\n");
 		BIO_printf(bio_err, " -in  arg                input file  - "
 				"default stdin\n");
 		BIO_printf(bio_err, " -out arg                output file - "
 				"default stdout\n");
 		BIO_printf(bio_err, " -noout                  do not print the "
 				"ec parameter\n");
 		BIO_printf(bio_err, " -text                   print the ec "
 				"parameters in text form\n");
 		BIO_printf(bio_err, " -check                  validate the ec "
 				"parameters\n");
 		BIO_printf(bio_err, " -C                      print a 'C' "
 				"function creating the parameters\n");
 		BIO_printf(bio_err, " -name arg               use the "
 				"ec parameters with 'short name' name\n");
 		BIO_printf(bio_err, " -list_curves            prints a list of "
 				"all currently available curve\n");
 		BIO_printf(bio_err, "                         'short names'\n");
 		BIO_printf(bio_err, " -conv_form arg          specifies the "
 				"point conversion form \n");
 		BIO_printf(bio_err, "                         possible values :"
 				" compressed\n");
 		BIO_printf(bio_err, "                                          "
 				" uncompressed (default)\n");
 		BIO_printf(bio_err, "                                          "
 				" hybrid\n");
 		BIO_printf(bio_err, " -param_enc arg          specifies the way"
 				" the ec parameters are encoded\n");
 		BIO_printf(bio_err, "                         in the asn1 der "
 				"encoding\n");
 		BIO_printf(bio_err, "                         possilbe values :"
 				" named_curve (default)\n");
 		BIO_printf(bio_err,"                                      "
 				"     explicit\n");
 		BIO_printf(bio_err, " -no_seed                if 'explicit'"
 				" parameters are choosen do not\n");
 		BIO_printf(bio_err, "                         use the seed\n");
 		BIO_printf(bio_err, " -genkey                 generate ecdsa"
 				" key\n");
 		BIO_printf(bio_err, " -rand file              files to use for"
 				" random number input\n");
 		BIO_printf(bio_err, " -engine e               use engine e, "
 				"possible a hardware device\n");
 		goto end;
 		}
 	ERR_load_crypto_strings();
 	in=BIO_new(BIO_s_file());
 	out=BIO_new(BIO_s_file());
 	if ((in == NULL) || (out == NULL))
 		{
 		ERR_print_errors(bio_err);
 		goto end;
 		}
 	if (infile == NULL)
 		BIO_set_fp(in,stdin,BIO_NOCLOSE);
 	else
 		{
 		if (BIO_read_filename(in,infile) <= 0)
 			{
 			perror(infile);
 			goto end;
 			}
 		}
 	if (outfile == NULL)
 		{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		out = BIO_push(tmpbio, out);
 		}
 #endif
 		}
 	else
 		{
 		if (BIO_write_filename(out,outfile) <= 0)
 			{
 			perror(outfile);
 			goto end;
 			}
 		}
 	e = setup_engine(bio_err, engine, 0);
 	if (list_curves)
 		{
 		int counter=0;
 		for (; counter < sizeof(curve_list)/sizeof(char *); counter++)
 			if (BIO_printf(bio_err, " %s\n", curve_list[counter]) 
 				<= 0) 
 				goto end;
 		ret = 0;
 		goto end;
 		}
 	if (curve_name != NULL)
 		{
 		int nid = OBJ_sn2nid(curve_name);
 		if (nid == 0)
 			{
 			BIO_printf(bio_err, "unknown curve name (%s)\n", 
 				curve_name);
 			goto end;
 			}
 		group = EC_GROUP_new_by_nid(nid);
 		if (group == NULL)
 			{
 			BIO_printf(bio_err, "unable to create curve (%s)\n", 
 				curve_name);
 			goto end;
 			}
 		EC_GROUP_set_asn1_flag(group, asn1_flag);
 		EC_GROUP_set_point_conversion_form(group, form);
 		}
 	else if (informat == FORMAT_ASN1)
 		{
 		group = d2i_ECPKParameters_bio(in, NULL);
 		}
 	else if (informat == FORMAT_PEM)
 		{
 		group = PEM_read_bio_ECPKParameters(in,NULL,NULL,NULL);
 		}
 	else
 		{
 		BIO_printf(bio_err, "bad input format specified\n");
 		goto end;
 		}
 	if (group == NULL)
 		{
 		BIO_printf(bio_err, 
 			"unable to load elliptic curve parameters\n");
 		ERR_print_errors(bio_err);
 		goto end;
 		}
 	if (new_form)
 		EC_GROUP_set_point_conversion_form(group, form);
 	if (new_asn1_flag)
 		EC_GROUP_set_asn1_flag(group, asn1_flag);
 	if (no_seed)
 		{
 		EC_GROUP_set_seed(group, NULL, 0);
 		}
 	if (text)
 		{
 		if (!ECPKParameters_print(out, group, 0))
 			goto end;
 		}
 	if (check)
 		{
 		if (group == NULL)
 			BIO_printf(bio_err, "no elliptic curve parameters\n");
 		BIO_printf(bio_err, "checking elliptic curve parameters: ");
 		if (!EC_GROUP_check(group, NULL))
 			{
 			BIO_printf(bio_err, "failed\n");
 			ERR_print_errors(bio_err);
 			}
 		else
 			BIO_printf(bio_err, "ok\n");
 		}
 	if (C)
 		{
 		size_t	buf_len = 0, tmp_len = 0;
 		const EC_POINT *point;
 		int	is_prime, len = 0;
 		const EC_METHOD *meth = EC_GROUP_method_of(group);
 		if ((ec_p = BN_new()) == NULL || (ec_a = BN_new()) == NULL ||
 		    (ec_b = BN_new()) == NULL || (ec_gen = BN_new()) == NULL ||
 		    (ec_order = BN_new()) == NULL || 
 		    (ec_cofactor = BN_new()) == NULL )
 			{
 			perror("OPENSSL_malloc");
 			goto end;
 			}
 		is_prime = (EC_METHOD_get_field_type(meth) == 
 			NID_X9_62_prime_field);
 		if (is_prime)
 			{
 			if (!EC_GROUP_get_curve_GFp(group, ec_p, ec_a,
 				ec_b, NULL))
 				goto end;
 			}
 		else
 			{
 			/* TODO */
 			goto end;
 			}
 		if ((point = EC_GROUP_get0_generator(group)) == NULL)
 			goto end;
 		if (!EC_POINT_point2bn(group, point, 
 			EC_GROUP_get_point_conversion_form(group), ec_gen, 
 			NULL))
 			goto end;
 		if (!EC_GROUP_get_order(group, ec_order, NULL))
 			goto end;
 		if (!EC_GROUP_get_cofactor(group, ec_cofactor, NULL))
 			goto end;
 		if (!ec_p || !ec_a || !ec_b || !ec_gen || 
 			!ec_order || !ec_cofactor)
 			goto end;
 		len = BN_num_bits(ec_order);
 		if ((tmp_len = (size_t)BN_num_bytes(ec_p)) > buf_len)
 			buf_len = tmp_len;
 		if ((tmp_len = (size_t)BN_num_bytes(ec_a)) > buf_len)
 			buf_len = tmp_len;
 		if ((tmp_len = (size_t)BN_num_bytes(ec_b)) > buf_len)
 			buf_len = tmp_len;
 		if ((tmp_len = (size_t)BN_num_bytes(ec_gen)) > buf_len)
 			buf_len = tmp_len;
 		if ((tmp_len = (size_t)BN_num_bytes(ec_order)) > buf_len)
 			buf_len = tmp_len;
 		if ((tmp_len = (size_t)BN_num_bytes(ec_cofactor)) > buf_len)
 			buf_len = tmp_len;
 		buffer = (unsigned char *)OPENSSL_malloc(buf_len);
 		if (buffer == NULL)
 			{
 			perror("OPENSSL_malloc");
 			goto end;
 			}
 		ecparam_print_var(out, ec_p, "ec_p", len, buffer);
 		ecparam_print_var(out, ec_a, "ec_a", len, buffer);
 		ecparam_print_var(out, ec_b, "ec_b", len, buffer);
 		ecparam_print_var(out, ec_gen, "ec_gen", len, buffer);
 		ecparam_print_var(out, ec_order, "ec_order", len, buffer);
 		ecparam_print_var(out, ec_cofactor, "ec_cofactor", len, 
 			buffer);
 		BIO_printf(out, "\n\n");
 		BIO_printf(out, "EC_GROUP *get_ec_group_%d(void)\n\t{\n", len);
 		BIO_printf(out, "\tint ok=0;\n");
 		BIO_printf(out, "\tEC_GROUP *group = NULL;\n");
 		BIO_printf(out, "\tEC_POINT *point = NULL;\n");
 		BIO_printf(out, "\tBIGNUM   *tmp_1 = NULL, *tmp_2 = NULL, "
 				"*tmp_3 = NULL;\n\n");
 		BIO_printf(out, "\tif ((tmp_1 = BN_bin2bn(ec_p_%d, "
 				"sizeof(ec_p_%d), NULL)) == NULL)\n\t\t"
 				"goto err;\n", len, len);
 		BIO_printf(out, "\tif ((tmp_2 = BN_bin2bn(ec_a_%d, "
 				"sizeof(ec_a_%d), NULL)) == NULL)\n\t\t"
 				"goto err;\n", len, len);
 		BIO_printf(out, "\tif ((tmp_3 = BN_bin2bn(ec_b_%d, "
 				"sizeof(ec_b_%d), NULL)) == NULL)\n\t\t"
 				"goto err;\n", len, len);
 		if (is_prime)
 			{
 			BIO_printf(out, "\tif ((group = EC_GROUP_new_curve_"
 				"GFp(tmp_1, tmp_2, tmp_3, NULL)) == NULL)"
 				"\n\t\tgoto err;\n\n");
 			}
 		else
 			{
 			/* TODO */
 			goto end;
 			}
 		BIO_printf(out, "\t/* build generator */\n");
 		BIO_printf(out, "\tif ((tmp_1 = BN_bin2bn(ec_gen_%d, "
 				"sizeof(ec_gen_%d), tmp_1)) == NULL)"
 				"\n\t\tgoto err;\n", len, len);
 		BIO_printf(out, "\tpoint = EC_POINT_bn2point(group, tmp_1, "
 				"NULL, NULL);\n");
 		BIO_printf(out, "\tif (point == NULL)\n\t\tgoto err;\n");
 		BIO_printf(out, "\tif ((tmp_2 = BN_bin2bn(ec_order_%d, "
 				"sizeof(ec_order_%d), tmp_2)) == NULL)"
 				"\n\t\tgoto err;\n", len, len);
 		BIO_printf(out, "\tif ((tmp_3 = BN_bin2bn(ec_cofactor_%d, "
 				"sizeof(ec_cofactor_%d), tmp_3)) == NULL)"
 				"\n\t\tgoto err;\n", len, len);
 		BIO_printf(out, "\tif (!EC_GROUP_set_generator(group, point,"
 				" tmp_2, tmp_3))\n\t\tgoto err;\n");
 		BIO_printf(out, "\n\tok=1;\n");
 		BIO_printf(out, "err:\n");
 		BIO_printf(out, "\tif (tmp_1)\n\t\tBN_free(tmp_1);\n");
 		BIO_printf(out, "\tif (tmp_2)\n\t\tBN_free(tmp_2);\n");
 		BIO_printf(out, "\tif (tmp_3)\n\t\tBN_free(tmp_3);\n");
 		BIO_printf(out, "\tif (point)\n\t\tEC_POINT_free(point);\n");
 		BIO_printf(out, "\tif (!ok)\n");
 		BIO_printf(out, "\t\t{\n");
 		BIO_printf(out, "\t\tEC_GROUP_free(group);\n");
 		BIO_printf(out, "\t\tgroup = NULL;\n");
 		BIO_printf(out, "\t\t}\n");
 		BIO_printf(out, "\treturn(group);\n\t}\n");
 	}
 	if (!noout)
 		{
 		if (outformat == FORMAT_ASN1)
 			i = i2d_ECPKParameters_bio(out, group);
 		else if (outformat == FORMAT_PEM)
 			i = PEM_write_bio_ECPKParameters(out, group);
 		else	
 			{
 			BIO_printf(bio_err,"bad output format specified for"
 				" outfile\n");
 			goto end;
 			}
 		if (!i)
 			{
 			BIO_printf(bio_err, "unable to write elliptic "
 				"curve parameters\n");
 			ERR_print_errors(bio_err);
 			goto end;
 			}
 		}
 	if (need_rand)
 		{
 		app_RAND_load_file(NULL, bio_err, (inrand != NULL));
 		if (inrand != NULL)
 			BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
 				app_RAND_load_files(inrand));
 		}
 	if (genkey)
 		{
 		ECDSA *ecdsa = ECDSA_new();
 		if (ecdsa == NULL)
 			goto end;
 		assert(need_rand);
 		ecdsa->group = group;
 		if (!ECDSA_generate_key(ecdsa))
 			{
 			ecdsa->group = NULL;
 			ECDSA_free(ecdsa);
 			goto end;
 			}
 		if (outformat == FORMAT_ASN1)
 			i = i2d_ECDSAPrivateKey_bio(out, ecdsa);
 		else if (outformat == FORMAT_PEM)
 			i = PEM_write_bio_ECDSAPrivateKey(out, ecdsa, NULL,
 				NULL, 0, NULL, NULL);
 		else	
 			{
 			BIO_printf(bio_err, "bad output format specified "
 				"for outfile\n");
 			ecdsa->group = NULL;
 			ECDSA_free(ecdsa);
 			goto end;
 			}
 		ecdsa->group = NULL;
 		ECDSA_free(ecdsa);
 		}
 	if (need_rand)
 		app_RAND_write_file(NULL, bio_err);
 	ret=0;
 end:
 	if (ec_p)
 		BN_free(ec_p);
 	if (ec_a)
 		BN_free(ec_a);
 	if (ec_b)
 		BN_free(ec_b);
 	if (ec_gen)
 		BN_free(ec_gen);
 	if (ec_order)
 		BN_free(ec_order);
 	if (ec_cofactor)
 		BN_free(ec_cofactor);
 	if (buffer)
 		OPENSSL_free(buffer);
 	if (in != NULL)
 		BIO_free(in);
 	if (out != NULL)
 		BIO_free_all(out);
 	if (group != NULL)
 		EC_GROUP_free(group);
 	apps_shutdown();
 	EXIT(ret);
 }
 int ecparam_print_var(BIO *out, BIGNUM *in, const char *var,
 	int len, unsigned char *buffer)
 	{
 	BIO_printf(out, "static unsigned char %s_%d[] = {", var, len);
 	if (BN_is_zero(in))
 		BIO_printf(out, "\n\t0x00");
 	else 
 		{
 		int i, l;
 		l = BN_bn2bin(in, buffer);
 		for (i=0; i<l-1; i++)
 			{
 			if ((i%12) == 0) 
 				BIO_printf(out, "\n\t");
 			BIO_printf(out, "0x%02X,", buffer[i]);
 			}
 		if ((i%12) == 0) 
 			BIO_printf(out, "\n\t");
 		BIO_printf(out, "0x%02X", buffer[i]);
 		}
 	BIO_printf(out, "\n\t};\n\n");
 	return 1;
 	}
 #endif
--- a/apps/enc.c
+++ b/apps/enc.c
@@ -100,9 +100,11 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 #ifndef OPENSSL_NO_ENGINE
 	ENGINE *e = NULL;
 #endif
 	static const char magic[]="Salted__";
-	char mbuf[8];	/* should be 1 smaller than magic */
+	char mbuf[sizeof magic-1];
 	char *strbuf=NULL;
 	unsigned char *buff=NULL,*bufsize=NULL;
 	int bsize=BSIZE,verbose=0;
@@ -119,7 +121,9 @@ int MAIN(int argc, char **argv)
 	BIO *in=NULL,*out=NULL,*b64=NULL,*benc=NULL,*rbio=NULL,*wbio=NULL;
 #define PROG_NAME_SIZE  39
 	char pname[PROG_NAME_SIZE+1];
 #ifndef OPENSSL_NO_ENGINE
 	char *engine = NULL;
 #endif
 	apps_startup();
@@ -131,7 +135,7 @@ int MAIN(int argc, char **argv)
 		goto end;
 	/* first check the program name */
-	program_name(argv[0],pname,PROG_NAME_SIZE);
+	program_name(argv[0],pname,sizeof pname);
 	if (strcmp(pname,"base64") == 0)
 		base64=1;
@@ -163,11 +167,13 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			passarg= *(++argv);
 			}
 #ifndef OPENSSL_NO_ENGINE
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 #endif
 		else if	(strcmp(*argv,"-d") == 0)
 			enc=0;
 		else if	(strcmp(*argv,"-p") == 0)
@@ -216,7 +222,7 @@ int MAIN(int argc, char **argv)
 				goto bad;
 				}
 			buf[0]='\0';
-			fgets(buf,128,infile);
+			fgets(buf,sizeof buf,infile);
 			fclose(infile);
 			i=strlen(buf);
 			if ((i > 0) &&
@@ -270,7 +276,9 @@ bad:
 			BIO_printf(bio_err,"%-14s key/iv in hex is the next argument\n","-K/-iv");
 			BIO_printf(bio_err,"%-14s print the iv/key (then exit if -P)\n","-[pP]");
 			BIO_printf(bio_err,"%-14s buffer size\n","-bufsize <n>");
 #ifndef OPENSSL_NO_ENGINE
 			BIO_printf(bio_err,"%-14s use engine e, possibly a hardware device.\n","-engine e");
 #endif
 			BIO_printf(bio_err,"Cipher Types\n");
 			OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_CIPHER_METH,
@@ -284,7 +292,9 @@ bad:
 		argv++;
 		}
 #ifndef OPENSSL_NO_ENGINE
        e = setup_engine(bio_err, engine, 0);
 #endif
 	if (bufsize != NULL)
 		{
@@ -442,12 +452,12 @@ bad:
 			else {
 				if(enc) {
 					if(hsalt) {
-						if(!set_hex(hsalt,salt,PKCS5_SALT_LEN)) {
+						if(!set_hex(hsalt,salt,sizeof salt)) {
 							BIO_printf(bio_err,
 								"invalid hex salt value\n");
 							goto end;
 						}
-					} else if (RAND_pseudo_bytes(salt, PKCS5_SALT_LEN) < 0)
+					} else if (RAND_pseudo_bytes(salt, sizeof salt) < 0)
 						goto end;
 					/* If -P option then don't bother writing */
 					if((printkey != 2)
@@ -455,14 +465,14 @@ bad:
 							 sizeof magic-1) != sizeof magic-1
 					       || BIO_write(wbio,
 							    (char *)salt,
-							    PKCS5_SALT_LEN) != PKCS5_SALT_LEN)) {
+							    sizeof salt) != sizeof salt)) {
 						BIO_printf(bio_err,"error writing output file\n");
 						goto end;
 					}
 				} else if(BIO_read(rbio,mbuf,sizeof mbuf) != sizeof mbuf
 					  || BIO_read(rbio,
 						      (unsigned char *)salt,
-				    PKCS5_SALT_LEN) != PKCS5_SALT_LEN) {
+				    sizeof salt) != sizeof salt) {
 					BIO_printf(bio_err,"error reading input file\n");
 					goto end;
 				} else if(memcmp(mbuf,magic,sizeof magic-1)) {
@@ -481,9 +491,9 @@ bad:
 			 * bug picked up by
 			 * Larry J. Hughes Jr. <hughes@indiana.edu> */
 			if (str == strbuf)
-				memset(str,0,SIZE);
+				OPENSSL_cleanse(str,SIZE);
 			else
-				memset(str,0,strlen(str));
+				OPENSSL_cleanse(str,strlen(str));
 			}
 		if ((hiv != NULL) && !set_hex(hiv,iv,sizeof iv))
 			{
@@ -524,7 +534,7 @@ bad:
 			if (!nosalt)
 				{
 				printf("salt=");
-				for (i=0; i<PKCS5_SALT_LEN; i++)
+				for (i=0; i<sizeof salt; i++)
 					printf("%02X",salt[i]);
 				printf("\n");
 				}
@@ -586,7 +596,7 @@ end:
 	if (b64 != NULL) BIO_free(b64);
 	if(pass) OPENSSL_free(pass);
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 int set_hex(char *in, unsigned char *out, int size)
--- a/apps/engine.c
+++ b/apps/engine.c
@@ -56,6 +56,8 @@
 *
 */
 #ifndef OPENSSL_NO_ENGINE
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -516,5 +518,6 @@ end:
 	sk_pop_free(post_cmds, identity);
 	if (bio_out != NULL) BIO_free_all(bio_out);
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 #endif
--- a/apps/errstr.c
+++ b/apps/errstr.c
@@ -122,5 +122,5 @@ int MAIN(int argc, char **argv)
 			}
 		}
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
--- a/apps/gendh.c
+++ b/apps/gendh.c
@@ -81,13 +81,17 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 #ifndef OPENSSL_NO_ENGINE
 	ENGINE *e = NULL;
 #endif
 	DH *dh=NULL;
 	int ret=1,num=DEFBITS;
 	int g=2;
 	char *outfile=NULL;
 	char *inrand=NULL;
 #ifndef OPENSSL_NO_ENGINE
 	char *engine=NULL;
 #endif
 	BIO *out=NULL;
 	apps_startup();
@@ -115,11 +119,13 @@ int MAIN(int argc, char **argv)
 			g=3; */
 		else if (strcmp(*argv,"-5") == 0)
 			g=5;
 #ifndef OPENSSL_NO_ENGINE
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 #endif
 		else if (strcmp(*argv,"-rand") == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -138,14 +144,18 @@ bad:
 		BIO_printf(bio_err," -2        - use 2 as the generator value\n");
 	/*	BIO_printf(bio_err," -3        - use 3 as the generator value\n"); */
 		BIO_printf(bio_err," -5        - use 5 as the generator value\n");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err," -engine e - use engine e, possibly a hardware device.\n");
 #endif
 		BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 		BIO_printf(bio_err,"           - load the file (or the files in the directory) into\n");
 		BIO_printf(bio_err,"             the random number generator\n");
 		goto end;
 		}
 #ifndef OPENSSL_NO_ENGINE
        e = setup_engine(bio_err, engine, 0);
 #endif
 	out=BIO_new(BIO_s_file());
 	if (out == NULL)
@@ -198,7 +208,7 @@ end:
 	if (out != NULL) BIO_free_all(out);
 	if (dh != NULL) DH_free(dh);
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 static void MS_CALLBACK dh_cb(int p, int n, void *arg)
--- a/apps/gendsa.c
+++ b/apps/gendsa.c
@@ -77,7 +77,9 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 #ifndef OPENSSL_NO_ENGINE
 	ENGINE *e = NULL;
 #endif
 	DSA *dsa=NULL;
 	int ret=1;
 	char *outfile=NULL;
@@ -85,7 +87,9 @@ int MAIN(int argc, char **argv)
 	char *passargout = NULL, *passout = NULL;
 	BIO *out=NULL,*in=NULL;
 	const EVP_CIPHER *enc=NULL;
 #ifndef OPENSSL_NO_ENGINE
 	char *engine=NULL;
 #endif
 	apps_startup();
@@ -111,11 +115,13 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			passargout= *(++argv);
 			}
 #ifndef OPENSSL_NO_ENGINE
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 #endif
 		else if (strcmp(*argv,"-rand") == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -167,7 +173,9 @@ bad:
 		BIO_printf(bio_err," -aes128, -aes192, -aes256\n");
 		BIO_printf(bio_err,"                 encrypt PEM output with cbc aes\n");
 #endif
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err," -engine e - use engine e, possibly a hardware device.\n");
 #endif
 		BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 		BIO_printf(bio_err,"           - load the file (or the files in the directory) into\n");
 		BIO_printf(bio_err,"             the random number generator\n");
@@ -176,7 +184,9 @@ bad:
 		goto end;
 		}
 #ifndef OPENSSL_NO_ENGINE
        e = setup_engine(bio_err, engine, 0);
 #endif
 	if(!app_passwd(bio_err, NULL, passargout, NULL, &passout)) {
 		BIO_printf(bio_err, "Error getting password\n");
@@ -246,6 +256,6 @@ end:
 	if (dsa != NULL) DSA_free(dsa);
 	if(passout) OPENSSL_free(passout);
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 #endif
--- a/apps/genrsa.c
+++ b/apps/genrsa.c
@@ -81,7 +81,9 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 #ifndef OPENSSL_NO_ENGINE
 	ENGINE *e = NULL;
 #endif
 	int ret=1;
 	RSA *rsa=NULL;
 	int i,num=DEFBITS;
@@ -90,7 +92,9 @@ int MAIN(int argc, char **argv)
 	unsigned long f4=RSA_F4;
 	char *outfile=NULL;
 	char *passargout = NULL, *passout = NULL;
 #ifndef OPENSSL_NO_ENGINE
 	char *engine=NULL;
 #endif
 	char *inrand=NULL;
 	BIO *out=NULL;
@@ -122,11 +126,13 @@ int MAIN(int argc, char **argv)
 			f4=3;
 		else if (strcmp(*argv,"-F4") == 0 || strcmp(*argv,"-f4") == 0)
 			f4=RSA_F4;
 #ifndef OPENSSL_NO_ENGINE
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 #endif
 		else if (strcmp(*argv,"-rand") == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -177,7 +183,9 @@ bad:
 		BIO_printf(bio_err," -passout arg    output file pass phrase source\n");
 		BIO_printf(bio_err," -f4             use F4 (0x10001) for the E value\n");
 		BIO_printf(bio_err," -3              use 3 for the E value\n");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err," -engine e       use engine e, possibly a hardware device.\n");
 #endif
 		BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 		BIO_printf(bio_err,"                 load the file (or the files in the directory) into\n");
 		BIO_printf(bio_err,"                 the random number generator\n");
@@ -191,7 +199,9 @@ bad:
 		goto err;
 	}
 #ifndef OPENSSL_NO_ENGINE
        e = setup_engine(bio_err, engine, 0);
 #endif
 	if (outfile == NULL)
 		{
@@ -258,7 +268,7 @@ err:
 	if (ret != 0)
 		ERR_print_errors(bio_err);
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 static void MS_CALLBACK genrsa_cb(int p, int n, void *arg)
--- a/apps/makeapps.com
+++ b/apps/makeapps.com
@@ -15,22 +15,10 @@ $!
 $!  It was written so it would try to determine what "C" compiler to
 $!  use or you can specify which "C" compiler to use.
 $!
-$!  Specify RSAREF as P1 to compile with the RSAREF library instead of
+$!  Specify DEBUG or NODEBUG as P1 to compile with or without debugger
 $!  the regular one.  If you specify NORSAREF it will compile with the
 $!  regular RSAREF routines.  (Note: If you are in the United States
 $!  you MUST compile with RSAREF unless you have a license from RSA).
 $!
 $!  Note: The RSAREF libraries are NOT INCLUDED and you have to
 $!        download it from "ftp://ftp.rsa.com/rsaref".  You have to
 $!        get the ".tar-Z" file as the ".zip" file dosen't have the
 $!        directory structure stored.  You have to extract the file
 $!        into the [.RSAREF] directory under the root directory as that
 $!        is where the scripts will look for the files.
 $!
 $!  Specify DEBUG or NODEBUG as P2 to compile with or without debugger
 $!  information.
 $!
-$!  Specify which compiler at P3 to try to compile under.
+$!  Specify which compiler at P2 to try to compile under.
 $!
 $!	   VAXC	 For VAX C.
 $!	   DECC	 For DEC C.
@@ -39,16 +27,16 @@ $!
 $!  If you don't speficy a compiler, it will try to determine which
 $!  "C" compiler to use.
 $!
-$!  P4, if defined, sets a TCP/IP library to use, through one of the following
+$!  P3, if defined, sets a TCP/IP library to use, through one of the following
 $!  keywords:
 $!
 $!	UCX		for UCX
 $!	SOCKETSHR	for SOCKETSHR+NETLIB
 $!	TCPIP		for TCPIP (post UCX)
 $!
-$!  P5, if defined, sets a compiler thread NOT needed on OpenVMS 7.1 (and up)
+$!  P4, if defined, sets a compiler thread NOT needed on OpenVMS 7.1 (and up)
 $!
-$!  P6, if defined, sets a choice of programs to compile.
+$!  P5, if defined, sets a choice of programs to compile.
 $!
 $!
 $! Define A TCP/IP Library That We Will Need To Link To.
@@ -101,10 +89,6 @@ $! Define The CRYPTO Library.
 $!
 $ CRYPTO_LIB := SYS$DISK:[-.'ARCH'.EXE.CRYPTO]LIBCRYPTO.OLB
 $!
 $! Define The RSAREF Library.
 $!
 $ RSAREF_LIB := SYS$DISK:[-.'ARCH'.EXE.RSAREF]LIBRSAGLUE.OLB
 $!
 $! Define The SSL Library.
 $!
 $ SSL_LIB := SYS$DISK:[-.'ARCH'.EXE.SSL]LIBSSL.OLB
@@ -182,7 +166,7 @@ $!     TCPIP_PROGRAMS = ",S_SERVER,S_CLIENT,SESS_ID,CIPHERS,S_TIME,"
 $!
 $! Setup exceptional compilations
 $!
-$ COMPILEWITH_CC2 = ",S_SOCKET,S_SERVER,S_CLIENT,"
+$ COMPILEWITH_CC2 = ",S_SERVER,S_CLIENT,"
 $!
 $ PHASE := LIB
 $!
@@ -293,45 +277,7 @@ $   WRITE SYS$OUTPUT FILE_NAME," needs a TCP/IP library.  Can't link.  Skipping.
 $   GOTO NEXT_FILE
 $ ENDIF
 $!
-$! Link The Program, Check To See If We Need To Link With RSAREF Or Not.
+$! Link The Program.
 $!
 $ IF (RSAREF.EQS."TRUE")
 $ THEN
 $!
 $!  Check To See If We Are To Link With A Specific TCP/IP Library.
 $!
 $   IF (TCPIP_LIB.NES."")
 $   THEN
 $!
 $!    Link With The RSAREF Library And A Specific TCP/IP Library.
 $!
 $     LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' -
 	  'OBJECT_FILE''EXTRA_OBJ', -
          'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY,'RSAREF_LIB'/LIBRARY, -
          'TCPIP_LIB','OPT_FILE'/OPTION
 $!
 $!  Else...
 $!
 $   ELSE
 $!
 $!    Link With The RSAREF Library And NO TCP/IP Library.
 $!
 $     LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' -
 	  'OBJECT_FILE''EXTRA_OBJ', -
          'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY,'RSAREF_LIB'/LIBRARY, -
          'OPT_FILE'/OPTION
 $!
 $!  End The TCP/IP Library Check.
 $!
 $   ENDIF
 $!
 $! Else...
 $!
 $ ELSE
 $!
 $!  Don't Link With The RSAREF Routines.
 $!
 $!
 $! Check To See If We Are To Link With A Specific TCP/IP Library.
 $!
 $ IF (TCPIP_LIB.NES."")
@@ -359,10 +305,6 @@ $!  End The TCP/IP Library Check.
 $!
 $ ENDIF
 $!
 $! End The RSAREF Link Check.
 $!
 $ ENDIF
 $!
 $! Go Back And Do It Again.
 $!
 $ GOTO NEXT_FILE
@@ -526,32 +468,6 @@ $! End The Crypto Library Check.
 $!
 $ ENDIF
 $!
 $! See If We Need The RSAREF Library.
 $!
 $ IF (RSAREF.EQS."TRUE")
 $ THEN
 $!
 $!  Look For The Library LIBRSAGLUE.OLB.
 $!
 $   IF (F$SEARCH(RSAREF_LIB).EQS."")
 $   THEN
 $!
 $!    Tell The User We Can't Find The LIBRSAGLUE.OLB Library.
 $!
 $     WRITE SYS$OUTPUT ""
 $     WRITE SYS$OUTPUT "Can't Find The Library ",RSAREF_LIB,"."
 $     WRITE SYS$OUTPUT "We Can't Link Without It."
 $     WRITE SYS$OUTPUT ""
 $!
 $!    Since We Can't Link Without It, Exit.
 $!
 $     EXIT
 $   ENDIF
 $!
 $! End The RSAREF Library Check.
 $!
 $ ENDIF
 $!
 $! Look For The Library LIBSSL.OLB.
 $!
 $ IF (F$SEARCH(SSL_LIB).EQS."")
@@ -582,87 +498,10 @@ $ CHECK_OPTIONS:
 $!
 $! Check To See If P1 Is Blank.
 $!
-$ P1 = "NORSAREF"
+$ IF (P1.EQS."NODEBUG")
 $ IF (P1.EQS."NORSAREF")
 $ THEN
 $!
-$!   P1 Is NORSAREF, So Compile With The Regular RSA Libraries.
+$!   P1 Is NODEBUG, So Compile Without Debugger Information.
 $!
 $    RSAREF = "FALSE"
 $!
 $! Else...
 $!
 $ ELSE
 $!
 $!  Check To See If We Are To Use The RSAREF Library.
 $!
 $   IF (P1.EQS."RSAREF")
 $   THEN
 $!
 $!    Check To Make Sure We Have The RSAREF Source Code Directory.
 $!
 $     IF (F$SEARCH("SYS$DISK:[-.RSAREF]SOURCE.DIR").EQS."")
 $     THEN
 $!
 $!      We Don't Have The RSAREF Souce Code Directory, So Tell The
 $!      User This.
 $!
 $       WRITE SYS$OUTPUT ""
 $       WRITE SYS$OUTPUT "It appears that you don't have the RSAREF Souce Code."
 $       WRITE SYS$OUTPUT "You need to go to 'ftp://ftp.rsa.com/rsaref'.  You have to"
 $       WRITE SYS$OUTPUT "get the '.tar-Z' file as the '.zip' file dosen't have the"
 $       WRITE SYS$OUTPUT "directory structure stored.  You have to extract the file"
 $       WRITE SYS$OUTPUT "into the [.RSAREF] directory under the root directory"
 $       WRITE SYS$OUTPUT "as that is where the scripts will look for the files."
 $       WRITE SYS$OUTPUT ""
 $!
 $!      Time To Exit.
 $!
 $       EXIT
 $!
 $!    Else...
 $!
 $     ELSE
 $!
 $!      Compile Using The RSAREF Library.
 $!
 $       RSAREF = "TRUE"
 $!
 $!    End The RSAREF Soure Directory Check.
 $!
 $     ENDIF
 $!
 $!  Else...
 $!
 $   ELSE 
 $!
 $!    They Entered An Invalid Option..
 $!
 $     WRITE SYS$OUTPUT ""
 $     WRITE SYS$OUTPUT "The Option ",P1," Is Invalid.  The Valid Options Are:"
 $     WRITE SYS$OUTPUT ""
 $     WRITE SYS$OUTPUT "     RSAREF   :  Compile With The RSAREF Library."
 $     WRITE SYS$OUTPUT "     NORSAREF :  Compile With The Regular RSA Library."
 $     WRITE SYS$OUTPUT ""
 $!
 $!    Time To EXIT.
 $!
 $     EXIT
 $!
 $!  End The Valid Arguement Check.
 $!
 $   ENDIF
 $!
 $! End P1 Check.
 $!
 $ ENDIF
 $!
 $! Check To See If P2 Is Blank.
 $!
 $ IF (P2.EQS."NODEBUG")
 $ THEN
 $!
 $!   P2 Is NODEBUG, So Compile Without Debugger Information.
 $!
 $    DEBUGGER  = "NODEBUG"
 $    TRACEBACK = "NOTRACEBACK" 
@@ -677,7 +516,7 @@ $ ELSE
 $!
 $!  Check To See If We Are To Compile With Debugger Information.
 $!
-$   IF (P2.EQS."DEBUG")
+$   IF (P1.EQS."DEBUG")
 $   THEN
 $!
 $!    Compile With Debugger Information.
@@ -693,7 +532,7 @@ $!
 $!    Tell The User Entered An Invalid Option..
 $!
 $     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "The Option ",P2," Is Invalid.  The Valid Options Are:"
+$     WRITE SYS$OUTPUT "The Option ",P1," Is Invalid.  The Valid Options Are:"
 $     WRITE SYS$OUTPUT ""
 $     WRITE SYS$OUTPUT "    DEBUG    :  Compile With The Debugger Information."
 $     WRITE SYS$OUTPUT "    NODEBUG  :  Compile Without The Debugger Information."
@@ -707,13 +546,13 @@ $!  End The Valid Arguement Check.
 $!
 $   ENDIF
 $!
-$! End The P2 Check.
+$! End The P1 Check.
 $!
 $ ENDIF
 $!
-$! Check To See If P3 Is Blank.
+$! Check To See If P2 Is Blank.
 $!
-$ IF (P3.EQS."")
+$ IF (P2.EQS."")
 $ THEN
 $!
 $!  O.K., The User Didn't Specify A Compiler, Let's Try To
@@ -726,7 +565,7 @@ $   THEN
 $!
 $!    Looks Like GNUC, Set To Use GNUC.
 $!
-$     P3 = "GNUC"
+$     P2 = "GNUC"
 $!
 $!  Else...
 $!
@@ -739,7 +578,7 @@ $     THEN
 $!
 $!      Looks Like DECC, Set To Use DECC.
 $!
-$       P3 = "DECC"
+$       P2 = "DECC"
 $!
 $!    Else...
 $!
@@ -747,7 +586,7 @@ $     ELSE
 $!
 $!      Looks Like VAXC, Set To Use VAXC.
 $!
-$       P3 = "VAXC"
+$       P2 = "VAXC"
 $!
 $!    End The VAXC Compiler Check.
 $!
@@ -761,9 +600,9 @@ $!  End The Compiler Check.
 $!
 $ ENDIF
 $!
-$! Check To See If We Have A Option For P4.
+$! Check To See If We Have A Option For P3.
 $!
-$ IF (P4.EQS."")
+$ IF (P3.EQS."")
 $ THEN
 $!
 $!  Find out what socket library we have available
@@ -773,7 +612,7 @@ $   THEN
 $!
 $!    We have SOCKETSHR, and it is my opinion that it's the best to use.
 $!
-$     P4 = "SOCKETSHR"
+$     P3 = "SOCKETSHR"
 $!
 $!    Tell the user
 $!
@@ -793,7 +632,7 @@ $     THEN
 $!
 $!	Last resort: a UCX or UCX-compatible library
 $!
-$	P4 = "UCX"
+$	P3 = "UCX"
 $!
 $!      Tell the user
 $!
@@ -817,12 +656,12 @@ $ IF F$TYPE(USER_CCDISABLEWARNINGS) .NES. "" THEN -
 $!
 $!  Check To See If The User Entered A Valid Paramter.
 $!
-$ IF (P3.EQS."VAXC").OR.(P3.EQS."DECC").OR.(P3.EQS."GNUC")
+$ IF (P2.EQS."VAXC").OR.(P2.EQS."DECC").OR.(P2.EQS."GNUC")
 $ THEN
 $!
 $!  Check To See If The User Wanted DECC.
 $!
-$   IF (P3.EQS."DECC")
+$   IF (P2.EQS."DECC")
 $   THEN
 $!
 $!    Looks Like DECC, Set To Use DECC.
@@ -852,7 +691,7 @@ $   ENDIF
 $!
 $!  Check To See If We Are To Use VAXC.
 $!
-$   IF (P3.EQS."VAXC")
+$   IF (P2.EQS."VAXC")
 $   THEN
 $!
 $!    Looks Like VAXC, Set To Use VAXC.
@@ -889,7 +728,7 @@ $   ENDIF
 $!
 $!  Check To See If We Are To Use GNU C.
 $!
-$   IF (P3.EQS."GNUC")
+$   IF (P2.EQS."GNUC")
 $   THEN
 $!
 $!    Looks Like GNUC, Set To Use GNUC.
@@ -918,31 +757,6 @@ $!  Set up default defines
 $!
 $   CCDEFS = """FLAT_INC=1""," + CCDEFS
 $!
 $!  Check To See If We Are To Compile With RSAREF Routines.
 $!
 $   IF (RSAREF.EQS."TRUE")
 $   THEN
 $!
 $!    Compile With RSAREF.
 $!
 $     CCDEFS = CCDEFS + ",""RSAref=1"""
 $!
 $!    Tell The User This.
 $!
 $     WRITE SYS$OUTPUT "Compiling With RSAREF Routines."
 $!
 $!    Else, We Don't Care.  Compile Without The RSAREF Library.
 $!
 $   ELSE
 $!
 $!    Tell The User We Are Compile Without The RSAREF Routines.
 $!
 $     WRITE SYS$OUTPUT "Compiling Without The RSAREF Routines.
 $!
 $!  End The RSAREF Check.
 $!
 $   ENDIF
 $!
 $!  Else The User Entered An Invalid Arguement.
 $!
 $ ELSE
@@ -950,7 +764,7 @@ $!
 $!  Tell The User We Don't Know What They Want.
 $!
 $   WRITE SYS$OUTPUT ""
-$   WRITE SYS$OUTPUT "The Option ",P3," Is Invalid.  The Valid Options Are:"
+$   WRITE SYS$OUTPUT "The Option ",P2," Is Invalid.  The Valid Options Are:"
 $   WRITE SYS$OUTPUT ""
 $   WRITE SYS$OUTPUT "    VAXC  :  To Compile With VAX C."
 $   WRITE SYS$OUTPUT "    DECC  :  To Compile With DEC C."
@@ -964,13 +778,13 @@ $ ENDIF
 $!
 $! Time to check the contents, and to make sure we get the correct library.
 $!
-$ IF P4.EQS."SOCKETSHR" .OR. P4.EQS."MULTINET" .OR. P4.EQS."UCX" -
+$ IF P3.EQS."SOCKETSHR" .OR. P3.EQS."MULTINET" .OR. P3.EQS."UCX" -
-     .OR. P4.EQS."TCPIP" .OR. P4.EQS."NONE"
+     .OR. P3.EQS."TCPIP" .OR. P3.EQS."NONE"
 $ THEN
 $!
 $!  Check to see if SOCKETSHR was chosen
 $!
-$   IF P4.EQS."SOCKETSHR"
+$   IF P3.EQS."SOCKETSHR"
 $   THEN
 $!
 $!    Set the library to use SOCKETSHR
@@ -983,12 +797,12 @@ $   ENDIF
 $!
 $!  Check to see if MULTINET was chosen
 $!
-$   IF P4.EQS."MULTINET"
+$   IF P3.EQS."MULTINET"
 $   THEN
 $!
 $!    Set the library to use UCX emulation.
 $!
-$     P4 = "UCX"
+$     P3 = "UCX"
 $!
 $!    Done with MULTINET
 $!
@@ -996,7 +810,7 @@ $   ENDIF
 $!
 $!  Check to see if UCX was chosen
 $!
-$   IF P4.EQS."UCX"
+$   IF P3.EQS."UCX"
 $   THEN
 $!
 $!    Set the library to use UCX.
@@ -1016,7 +830,7 @@ $   ENDIF
 $!
 $!  Check to see if TCPIP (post UCX) was chosen
 $!
-$   IF P4.EQS."TCPIP"
+$   IF P3.EQS."TCPIP"
 $   THEN
 $!
 $!    Set the library to use TCPIP.
@@ -1029,7 +843,7 @@ $   ENDIF
 $!
 $!  Check to see if NONE was chosen
 $!
-$   IF P4.EQS."NONE"
+$   IF P3.EQS."NONE"
 $   THEN
 $!
 $!    Do not use TCPIP.
@@ -1042,7 +856,7 @@ $   ENDIF
 $!
 $!  Add TCP/IP type to CC definitions.
 $!
-$   CCDEFS = CCDEFS + ",TCPIP_TYPE_''P4'"
+$   CCDEFS = CCDEFS + ",TCPIP_TYPE_''P3'"
 $!
 $!  Print info
 $!
@@ -1055,7 +869,7 @@ $!
 $!  Tell The User We Don't Know What They Want.
 $!
 $   WRITE SYS$OUTPUT ""
-$   WRITE SYS$OUTPUT "The Option ",P4," Is Invalid.  The Valid Options Are:"
+$   WRITE SYS$OUTPUT "The Option ",P3," Is Invalid.  The Valid Options Are:"
 $   WRITE SYS$OUTPUT ""
 $   WRITE SYS$OUTPUT "    SOCKETSHR  :  To link with SOCKETSHR TCP/IP library."
 $   WRITE SYS$OUTPUT "    UCX        :  To link with UCX TCP/IP library."
@@ -1086,7 +900,7 @@ $ CC = CC + "/DEFINE=(" + CCDEFS + ")" + CCDISABLEWARNINGS
 $!
 $! Show user the result
 $!
-$ WRITE SYS$OUTPUT "Main Compiling Command: ",CC
+$ WRITE/SYMBOL SYS$OUTPUT "Main Compiling Command: ",CC
 $!
 $! Special Threads For OpenVMS v7.1 Or Later
 $!
@@ -1094,9 +908,9 @@ $! Written By:  Richard Levitte
 $!              richard@levitte.org
 $!
 $!
-$! Check To See If We Have A Option For P5.
+$! Check To See If We Have A Option For P4.
 $!
-$ IF (P5.EQS."")
+$ IF (P4.EQS."")
 $ THEN
 $!
 $!  Get The Version Of VMS We Are Using.
@@ -1118,15 +932,15 @@ $!  End The VMS Version Check.
 $!
 $   ENDIF
 $!
-$! End The P5 Check.
+$! End The P4 Check.
 $!
 $ ENDIF
 $!
 $! Check if the user wanted to compile just a subset of all the programs.
 $!
-$ IF P6 .NES. ""
+$ IF P5 .NES. ""
 $ THEN
-$   PROGRAMS = P6
+$   PROGRAMS = P5
 $ ENDIF
 $!
 $!  Time To RETURN...
--- a/apps/nseq.c
+++ b/apps/nseq.c
@@ -102,7 +102,7 @@ int MAIN(int argc, char **argv)
 		BIO_printf (bio_err, "-in file  input file\n");
 		BIO_printf (bio_err, "-out file output file\n");
 		BIO_printf (bio_err, "-toseq    output NS Sequence file\n");
-		EXIT(1);
+		OPENSSL_EXIT(1);
 	}
 	if (infile) {
@@ -162,6 +162,6 @@ end:
 	BIO_free_all(out);
 	NETSCAPE_CERT_SEQUENCE_free(seq);
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 }
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -55,6 +55,7 @@
 * Hudson (tjh@cryptsoft.com).
 *
 */
 #ifndef OPENSSL_NO_OCSP
 #include <stdio.h>
 #include <string.h>
@@ -613,11 +614,11 @@ int MAIN(int argc, char **argv)
 			NULL, e, "CA certificate");
 		if (rcertfile)
 			{
-			rother = load_certs(bio_err, sign_certfile, FORMAT_PEM,
+			rother = load_certs(bio_err, rcertfile, FORMAT_PEM,
 				NULL, e, "responder other certificates");
-			if (!sign_other) goto end;
+			if (!rother) goto end;
 			}
-		rkey = load_key(bio_err, rkeyfile, FORMAT_PEM, NULL, NULL,
+		rkey = load_key(bio_err, rkeyfile, FORMAT_PEM, 0, NULL, NULL,
 			"responder private key");
 		if (!rkey)
 			goto end;
@@ -663,7 +664,7 @@ int MAIN(int argc, char **argv)
 				NULL, e, "signer certificates");
 			if (!sign_other) goto end;
 			}
-		key = load_key(bio_err, keyfile, FORMAT_PEM, NULL, NULL,
+		key = load_key(bio_err, keyfile, FORMAT_PEM, 0, NULL, NULL,
 			"signer private key");
 		if (!key)
 			goto end;
@@ -722,7 +723,12 @@ int MAIN(int argc, char **argv)
 		}
 	else if (host)
 		{
 #ifndef OPENSSL_NO_SOCK
 		cbio = BIO_new_connect(host);
 #else
 		BIO_printf(bio_err, "Error creating connect BIO - sockets not supported.\n");
 		goto end;
 #endif
 		if (!cbio)
 			{
 			BIO_printf(bio_err, "Error creating connect BIO\n");
@@ -732,7 +738,16 @@ int MAIN(int argc, char **argv)
 		if (use_ssl == 1)
 			{
 			BIO *sbio;
 #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
 			ctx = SSL_CTX_new(SSLv23_client_method());
 #elif !defined(OPENSSL_NO_SSL3)
 			ctx = SSL_CTX_new(SSLv3_client_method());
 #elif !defined(OPENSSL_NO_SSL2)
 			ctx = SSL_CTX_new(SSLv2_client_method());
 #else
 			BIO_printf(bio_err, "SSL is disabled\n");
 			goto end;
 #endif
 			SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
 			sbio = BIO_new_ssl(ctx, 1);
 			cbio = BIO_push(sbio, cbio);
@@ -899,7 +914,7 @@ end:
 		SSL_CTX_free(ctx);
 		}
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 }
 static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer,
@@ -1120,6 +1135,9 @@ static char **lookup_serial(TXT_DB *db, ASN1_INTEGER *ser)
 	char *itmp, *row[DB_NUMBER],**rrow;
 	for (i = 0; i < DB_NUMBER; i++) row[i] = NULL;
 	bn = ASN1_INTEGER_to_BN(ser,NULL);
 	if (BN_is_zero(bn))
 		itmp = BUF_strdup("00");
 	else
 		itmp = BN_bn2hex(bn);
 	row[DB_serial] = itmp;
 	BN_free(bn);
@@ -1136,7 +1154,11 @@ static BIO *init_responder(char *port)
 	bufbio = BIO_new(BIO_f_buffer());
 	if (!bufbio) 
 		goto err;
 #ifndef OPENSSL_NO_SOCK
 	acbio = BIO_new_accept(port);
 #else
 	BIO_printf(bio_err, "Error setting up accept BIO - sockets not supported.\n");
 #endif
 	if (!acbio)
 		goto err;
 	BIO_set_accept_bios(acbio, bufbio);
@@ -1176,7 +1198,7 @@ static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port
 	for(;;)
 		{
-		len = BIO_gets(cbio, inbuf, 1024);
+		len = BIO_gets(cbio, inbuf, sizeof inbuf);
 		if (len <= 0)
 			return 1;
 		/* Look for "POST" signalling start of query */
@@ -1223,3 +1245,4 @@ static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp)
 	return 1;
 	}
 #endif
--- a/apps/openssl.c
+++ b/apps/openssl.c
@@ -122,7 +122,9 @@
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #include <openssl/ssl.h>
 #ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
 #endif
 #define USE_SOCKETS /* needed for the _O_BINARY defs in the MS world */
 #include "progs.h"
 #include "s_apps.h"
@@ -139,11 +141,11 @@ static unsigned long MS_CALLBACK hash(const void *a_void);
 static int MS_CALLBACK cmp(const void *a_void,const void *b_void);
 static LHASH *prog_init(void );
 static int do_cmd(LHASH *prog,int argc,char *argv[]);
 CONF *config=NULL;
 char *default_config_file=NULL;
 /* Make sure there is only one when MONOLITH is defined */
 #ifdef MONOLITH
 CONF *config=NULL;
 BIO *bio_err=NULL;
 #endif
@@ -218,7 +220,8 @@ int main(int Argc, char *Argv[])
 #define PROG_NAME_SIZE	39
 	char pname[PROG_NAME_SIZE+1];
 	FUNCTION f,*fp;
-	MS_STATIC char *prompt,buf[1024],config_name[256];
+	MS_STATIC char *prompt,buf[1024];
 	char *to_free=NULL;
 	int n,i,ret=0;
 	int argc;
 	char **argv,*p;
@@ -228,6 +231,10 @@ int main(int Argc, char *Argv[])
 	arg.data=NULL;
 	arg.count=0;
 	if (bio_err == NULL)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
 	if (getenv("OPENSSL_DEBUG_MEMORY") != NULL) /* if not defined, use compiled-in library defaults */
 		{
 		if (!(0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off")))
@@ -252,23 +259,12 @@ int main(int Argc, char *Argv[])
 	apps_startup();
 	if (bio_err == NULL)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
 	/* Lets load up our environment a little */
 	p=getenv("OPENSSL_CONF");
 	if (p == NULL)
 		p=getenv("SSLEAY_CONF");
 	if (p == NULL)
-		{
+		p=to_free=make_config_name();
 		strcpy(config_name,X509_get_default_cert_area());
 #ifndef OPENSSL_SYS_VMS
 		strcat(config_name,"/");
 #endif
 		strcat(config_name,OPENSSL_CONF);
 		p=config_name;
 		}
 	default_config_file=p;
@@ -284,7 +280,7 @@ int main(int Argc, char *Argv[])
 	prog=prog_init();
 	/* first check the program name */
-	program_name(Argv[0],pname,PROG_NAME_SIZE);
+	program_name(Argv[0],pname,sizeof pname);
 	f.name=pname;
 	fp=(FUNCTION *)lh_retrieve(prog,&f);
@@ -312,7 +308,7 @@ int main(int Argc, char *Argv[])
 		{
 		ret=0;
 		p=buf;
-		n=1024;
+		n=sizeof buf;
 		i=0;
 		for (;;)
 			{
@@ -346,6 +342,8 @@ int main(int Argc, char *Argv[])
 	BIO_printf(bio_err,"bad exit\n");
 	ret=1;
 end:
 	if (to_free)
 		OPENSSL_free(to_free);
 	if (config != NULL)
 		{
 		NCONF_free(config);
@@ -362,7 +360,7 @@ end:
 		BIO_free(bio_err);
 		bio_err=NULL;
 		}
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 #define LIST_STANDARD_COMMANDS "list-standard-commands"
--- a/apps/passwd.c
+++ b/apps/passwd.c
@@ -19,7 +19,6 @@
 # include <openssl/des.h>
 #endif
 #ifndef NO_MD5CRYPT_1
 # include <openssl/evp.h>
 # include <openssl/md5.h>
 #endif
@@ -293,7 +292,7 @@ err:
 	if (out)
 		BIO_free_all(out);
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
@@ -506,6 +505,6 @@ err:
 int MAIN(int argc, char **argv)
 	{
 	fputs("Program not available.\n", stderr)
-	EXIT(1);
+	OPENSSL_EXIT(1);
 	}
 #endif
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -120,7 +120,9 @@ int MAIN(int argc, char **argv)
    char *passin = NULL, *passout = NULL;
    char *inrand = NULL;
    char *CApath = NULL, *CAfile = NULL;
 #ifndef OPENSSL_NO_ENGINE
    char *engine=NULL;
 #endif
    apps_startup();
@@ -252,11 +254,13 @@ int MAIN(int argc, char **argv)
 			args++;	
 			CAfile = *args;
 		    } else badarg = 1;
 #ifndef OPENSSL_NO_ENGINE
 		} else if (!strcmp(*args,"-engine")) {
 		    if (args[1]) {
 			args++;	
 			engine = *args;
 		    } else badarg = 1;
 #endif
 		} else badarg = 1;
 	} else badarg = 1;
@@ -304,14 +308,18 @@ int MAIN(int argc, char **argv)
 	BIO_printf (bio_err, "-password p   set import/export password source\n");
 	BIO_printf (bio_err, "-passin p     input file pass phrase source\n");
 	BIO_printf (bio_err, "-passout p    output file pass phrase source\n");
 #ifndef OPENSSL_NO_ENGINE
 	BIO_printf (bio_err, "-engine e     use engine e, possibly a hardware device.\n");
 #endif
 	BIO_printf(bio_err,  "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 	BIO_printf(bio_err,  "              load the file (or the files in the directory) into\n");
 	BIO_printf(bio_err,  "              the random number generator\n");
    	goto end;
    }
 #ifndef OPENSSL_NO_ENGINE
    e = setup_engine(bio_err, engine, 0);
 #endif
    if(passarg) {
 	if(export_cert) passargout = passarg;
@@ -399,7 +407,7 @@ int MAIN(int argc, char **argv)
 #ifdef CRYPTO_MDEBUG
    CRYPTO_push_info("read MAC password");
 #endif
-	if(EVP_read_pw_string (macpass, 50, "Enter MAC Password:", export_cert))
+	if(EVP_read_pw_string (macpass, sizeof macpass, "Enter MAC Password:", export_cert))
 	{
    	    BIO_printf (bio_err, "Can't read Password\n");
    	    goto end;
@@ -427,7 +435,7 @@ int MAIN(int argc, char **argv)
 	CRYPTO_push_info("process -export_cert");
 	CRYPTO_push_info("reading private key");
 #endif
-	key = load_key(bio_err, keyname ? keyname : infile, FORMAT_PEM,
+	key = load_key(bio_err, keyname ? keyname : infile, FORMAT_PEM, 1,
 		passin, e, "private key");
 	if (!key) {
 		goto export_end;
@@ -508,9 +516,10 @@ int MAIN(int argc, char **argv)
 		    /* Exclude verified certificate */
 		    for (i = 1; i < sk_X509_num (chain2) ; i++) 
 			sk_X509_push(certs, sk_X509_value (chain2, i));
-		}
+		    /* Free first certificate */
 		    X509_free(sk_X509_value(chain2, 0));
 		    sk_X509_free(chain2);
-		if (vret) {
+		} else {
 			BIO_printf (bio_err, "Error %s getting chain.\n",
 					X509_verify_cert_error_string(vret));
 			goto export_end;
@@ -537,8 +546,6 @@ int MAIN(int argc, char **argv)
 	}
 	sk_X509_pop_free(certs, X509_free);
 	certs = NULL;
 	/* ucert is part of certs so it is already freed */
 	ucert = NULL;
 #ifdef CRYPTO_MDEBUG
 	CRYPTO_pop_info();
@@ -546,7 +553,7 @@ int MAIN(int argc, char **argv)
 #endif
 	if(!noprompt &&
-		EVP_read_pw_string(pass, 50, "Enter Export Password:", 1)) {
+		EVP_read_pw_string(pass, sizeof pass, "Enter Export Password:", 1)) {
 	    BIO_printf (bio_err, "Can't read Password\n");
 	    goto export_end;
        }
@@ -627,7 +634,6 @@ int MAIN(int argc, char **argv)
 	if (certs) sk_X509_pop_free(certs, X509_free);
 	if (safes) sk_PKCS7_pop_free(safes, PKCS7_free);
 	if (bags) sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
 	if (ucert) X509_free(ucert);
 #ifdef CRYPTO_MDEBUG
 	CRYPTO_pop_info();
@@ -644,7 +650,7 @@ int MAIN(int argc, char **argv)
 #ifdef CRYPTO_MDEBUG
    CRYPTO_push_info("read import password");
 #endif
-    if(!noprompt && EVP_read_pw_string(pass, 50, "Enter Import Password:", 0)) {
+    if(!noprompt && EVP_read_pw_string(pass, sizeof pass, "Enter Import Password:", 0)) {
 	BIO_printf (bio_err, "Can't read Password\n");
 	goto end;
    }
@@ -698,7 +704,7 @@ int MAIN(int argc, char **argv)
    if(passin) OPENSSL_free(passin);
    if(passout) OPENSSL_free(passout);
    apps_shutdown();
-    EXIT(ret);
+    OPENSSL_EXIT(ret);
 }
 int dump_certs_keys_p12 (BIO *out, PKCS12 *p12, char *pass,
--- a/apps/pkcs7.c
+++ b/apps/pkcs7.c
@@ -82,7 +82,9 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 #ifndef OPENSSL_NO_ENGINE
 	ENGINE *e = NULL;
 #endif
 	PKCS7 *p7=NULL;
 	int i,badops=0;
 	BIO *in=NULL,*out=NULL;
@@ -90,7 +92,9 @@ int MAIN(int argc, char **argv)
 	char *infile,*outfile,*prog;
 	int print_certs=0,text=0,noout=0;
 	int ret=1;
 #ifndef OPENSSL_NO_ENGINE
 	char *engine=NULL;
 #endif
 	apps_startup();
@@ -134,11 +138,13 @@ int MAIN(int argc, char **argv)
 			text=1;
 		else if (strcmp(*argv,"-print_certs") == 0)
 			print_certs=1;
 #ifndef OPENSSL_NO_ENGINE
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 #endif
 		else
 			{
 			BIO_printf(bio_err,"unknown option %s\n",*argv);
@@ -161,14 +167,18 @@ bad:
 		BIO_printf(bio_err," -print_certs  print any certs or crl in the input\n");
 		BIO_printf(bio_err," -text         print full details of certificates\n");
 		BIO_printf(bio_err," -noout        don't output encoded data\n");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err," -engine e     use engine e, possibly a hardware device.\n");
 #endif
 		ret = 1;
 		goto end;
 		}
 	ERR_load_crypto_strings();
 #ifndef OPENSSL_NO_ENGINE
        e = setup_engine(bio_err, engine, 0);
 #endif
 	in=BIO_new(BIO_s_file());
 	out=BIO_new(BIO_s_file());
@@ -301,5 +311,5 @@ end:
 	if (in != NULL) BIO_free(in);
 	if (out != NULL) BIO_free_all(out);
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
--- a/apps/pkcs8.c
+++ b/apps/pkcs8.c
@@ -63,7 +63,6 @@
 #include <openssl/evp.h>
 #include <openssl/pkcs12.h>
 #include "apps.h"
 #define PROG pkcs8_main
 int MAIN(int, char **);
@@ -86,7 +85,9 @@ int MAIN(int argc, char **argv)
 	EVP_PKEY *pkey=NULL;
 	char pass[50], *passin = NULL, *passout = NULL, *p8pass = NULL;
 	int badarg = 0;
 #ifndef OPENSSL_NO_ENGINE
 	char *engine=NULL;
 #endif
 	if (bio_err == NULL) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
@@ -146,11 +147,13 @@ int MAIN(int argc, char **argv)
 			if (!args[1]) goto bad;
 			passargout= *(++args);
 			}
 #ifndef OPENSSL_NO_ENGINE
 		else if (strcmp(*args,"-engine") == 0)
 			{
 			if (!args[1]) goto bad;
 			engine= *(++args);
 			}
 #endif
 		else if (!strcmp (*args, "-in")) {
 			if (args[1]) {
 				args++;
@@ -183,11 +186,15 @@ int MAIN(int argc, char **argv)
 		BIO_printf(bio_err, "-nocrypt        use or expect unencrypted private key\n");
 		BIO_printf(bio_err, "-v2 alg         use PKCS#5 v2.0 and cipher \"alg\"\n");
 		BIO_printf(bio_err, "-v1 obj         use PKCS#5 v1.5 and cipher \"alg\"\n");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err," -engine e       use engine e, possibly a hardware device.\n");
 #endif
 		return (1);
 	}
 #ifndef OPENSSL_NO_ENGINE
        e = setup_engine(bio_err, engine, 0);
 #endif
 	if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
 		BIO_printf(bio_err, "Error getting passwords\n");
@@ -222,7 +229,8 @@ int MAIN(int argc, char **argv)
 	if (topk8)
 		{
 		BIO_free(in); /* Not needed in this section */
-		pkey = load_key(bio_err, infile, informat, passin, e, "key");
+		pkey = load_key(bio_err, infile, informat, 1,
 			passin, e, "key");
 		if (!pkey) {
 			return (1);
 		}
@@ -244,7 +252,8 @@ int MAIN(int argc, char **argv)
 			if(passout) p8pass = passout;
 			else {
 				p8pass = pass;
-				EVP_read_pw_string(pass, 50, "Enter Encryption Password:", 1);
+				if (EVP_read_pw_string(pass, sizeof pass, "Enter Encryption Password:", 1))
 					return (1);
 			}
 			app_RAND_load_file(NULL, bio_err, 0);
 			if (!(p8 = PKCS8_encrypt(pbe_nid, cipher,
@@ -301,7 +310,7 @@ int MAIN(int argc, char **argv)
 		if(passin) p8pass = passin;
 		else {
 			p8pass = pass;
-			EVP_read_pw_string(pass, 50, "Enter Password:", 0);
+			EVP_read_pw_string(pass, sizeof pass, "Enter Password:", 0);
 		}
 		p8inf = PKCS8_decrypt(p8, p8pass, strlen(p8pass));
 		X509_SIG_free(p8);
--- a/apps/progs.h
+++ b/apps/progs.h
@@ -17,8 +17,6 @@ extern int rsa_main(int argc,char *argv[]);
 extern int rsautl_main(int argc,char *argv[]);
 extern int dsa_main(int argc,char *argv[]);
 extern int dsaparam_main(int argc,char *argv[]);
 extern int ecdsa_main(int argc,char *argv[]);
 extern int ecparam_main(int argc,char *argv[]);
 extern int x509_main(int argc,char *argv[]);
 extern int genrsa_main(int argc,char *argv[]);
 extern int gendsa_main(int argc,char *argv[]);
@@ -37,7 +35,9 @@ extern int pkcs8_main(int argc,char *argv[]);
 extern int spkac_main(int argc,char *argv[]);
 extern int smime_main(int argc,char *argv[]);
 extern int rand_main(int argc,char *argv[]);
 #ifndef OPENSSL_NO_ENGINE
 extern int engine_main(int argc,char *argv[]);
 #endif
 extern int ocsp_main(int argc,char *argv[]);
 #define FUNC_TYPE_GENERAL	1
@@ -80,12 +80,6 @@ FUNCTION functions[] = {
 #endif
 #ifndef OPENSSL_NO_DSA
 	{FUNC_TYPE_GENERAL,"dsaparam",dsaparam_main},
 #endif
 #ifndef OPENSSL_NO_ECDSA
 	{FUNC_TYPE_GENERAL,"ecdsa",ecdsa_main},
 #endif
 #ifndef OPENSSL_NO_ECDSA
 	{FUNC_TYPE_GENERAL,"ecparam",ecparam_main},
 #endif
 	{FUNC_TYPE_GENERAL,"x509",x509_main},
 #ifndef OPENSSL_NO_RSA
@@ -100,7 +94,9 @@ FUNCTION functions[] = {
 #if !defined(OPENSSL_NO_SOCK) && !(defined(OPENSSL_NO_SSL2) && defined(OPENSSL_NO_SSL3))
 	{FUNC_TYPE_GENERAL,"s_client",s_client_main},
 #endif
 #ifndef OPENSSL_NO_SPEED
 	{FUNC_TYPE_GENERAL,"speed",speed_main},
 #endif
 #if !defined(OPENSSL_NO_SOCK) && !(defined(OPENSSL_NO_SSL2) && defined(OPENSSL_NO_SSL3))
 	{FUNC_TYPE_GENERAL,"s_time",s_time_main},
 #endif
@@ -119,7 +115,9 @@ FUNCTION functions[] = {
 	{FUNC_TYPE_GENERAL,"spkac",spkac_main},
 	{FUNC_TYPE_GENERAL,"smime",smime_main},
 	{FUNC_TYPE_GENERAL,"rand",rand_main},
 #ifndef OPENSSL_NO_ENGINE
 	{FUNC_TYPE_GENERAL,"engine",engine_main},
 #endif
 	{FUNC_TYPE_GENERAL,"ocsp",ocsp_main},
 #ifndef OPENSSL_NO_MD2
 	{FUNC_TYPE_MD,"md2",dgst_main},
--- a/apps/progs.pl
+++ b/apps/progs.pl
@@ -33,8 +33,6 @@ foreach (@ARGV)
 		{ print "#ifndef OPENSSL_NO_RSA\n${str}#endif\n";  }
 	elsif ( ($_ =~ /^dsa$/) || ($_ =~ /^gendsa$/) || ($_ =~ /^dsaparam$/))
 		{ print "#ifndef OPENSSL_NO_DSA\n${str}#endif\n"; }
 	elsif ( ($_ =~ /^ecdsa$/) || ($_ =~ /^ecdsaparam$/))
 		{ print "#ifndef OPENSSL_NO_ECDSA\n${str}#endif\n";}
 	elsif ( ($_ =~ /^dh$/) || ($_ =~ /^gendh$/) || ($_ =~ /^dhparam$/))
 		{ print "#ifndef OPENSSL_NO_DH\n${str}#endif\n"; }
 	elsif ( ($_ =~ /^pkcs12$/))
--- a/apps/rand.c
+++ b/apps/rand.c
@@ -76,7 +76,9 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 #ifndef OPENSSL_NO_ENGINE
 	ENGINE *e = NULL;
 #endif
 	int i, r, ret = 1;
 	int badopt;
 	char *outfile = NULL;
@@ -84,7 +86,9 @@ int MAIN(int argc, char **argv)
 	int base64 = 0;
 	BIO *out = NULL;
 	int num = -1;
 #ifndef OPENSSL_NO_ENGINE
 	char *engine=NULL;
 #endif
 	apps_startup();
@@ -106,6 +110,7 @@ int MAIN(int argc, char **argv)
 			else
 				badopt = 1;
 			}
 #ifndef OPENSSL_NO_ENGINE
 		else if (strcmp(argv[i], "-engine") == 0)
 			{
 			if ((argv[i+1] != NULL) && (engine == NULL))
@@ -113,6 +118,7 @@ int MAIN(int argc, char **argv)
 			else
 				badopt = 1;
 			}
 #endif
 		else if (strcmp(argv[i], "-rand") == 0)
 			{
 			if ((argv[i+1] != NULL) && (inrand == NULL))
@@ -150,13 +156,17 @@ int MAIN(int argc, char **argv)
 		BIO_printf(bio_err, "Usage: rand [options] num\n");
 		BIO_printf(bio_err, "where options are\n");
 		BIO_printf(bio_err, "-out file             - write to file\n");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err, "-engine e             - use engine e, possibly a hardware device.\n");
 #endif
 		BIO_printf(bio_err, "-rand file%cfile%c... - seed PRNG from files\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 		BIO_printf(bio_err, "-base64               - encode output\n");
 		goto err;
 		}
 #ifndef OPENSSL_NO_ENGINE
        e = setup_engine(bio_err, engine, 0);
 #endif
 	app_RAND_load_file(NULL, bio_err, (inrand != NULL));
 	if (inrand != NULL)
@@ -213,5 +223,5 @@ err:
 	if (out)
 		BIO_free_all(out);
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
--- a/apps/req.c
+++ b/apps/req.c
@@ -73,6 +73,7 @@
 #include <openssl/x509v3.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
 #include "../crypto/cryptlib.h"
 #define SECTION		"req"
@@ -134,7 +135,6 @@ static int req_check_len(int len,int n_min,int n_max);
 static int check_end(char *str, char *end);
 #ifndef MONOLITH
 static char *default_config_file=NULL;
 static CONF *config=NULL;
 #endif
 static CONF *req_conf=NULL;
 static int batch=0;
@@ -142,7 +142,6 @@ static int batch=0;
 #define TYPE_RSA	1
 #define TYPE_DSA	2
 #define TYPE_DH		3
 #define TYPE_ECDSA	4
 int MAIN(int, char **);
@@ -152,10 +151,7 @@ int MAIN(int argc, char **argv)
 #ifndef OPENSSL_NO_DSA
 	DSA *dsa_params=NULL;
 #endif
-#ifndef OPENSSL_NO_ECDSA
+	unsigned long nmflag = 0, reqflag = 0;
 	ECDSA *ecdsa_params = NULL;
 #endif
 	unsigned long nmflag = 0;
 	int ex=1,x509=0,days=30;
 	X509 *x509ss=NULL;
 	X509_REQ *req=NULL;
@@ -166,7 +162,9 @@ int MAIN(int argc, char **argv)
 	int informat,outformat,verify=0,noout=0,text=0,keyform=FORMAT_PEM;
 	int nodes=0,kludge=0,newhdr=0,subject=0,pubkey=0;
 	char *infile,*outfile,*prog,*keyfile=NULL,*template=NULL,*keyout=NULL;
 #ifndef OPENSSL_NO_ENGINE
 	char *engine=NULL;
 #endif
 	char *extensions = NULL;
 	char *req_exts = NULL;
 	const EVP_CIPHER *cipher=NULL;
@@ -180,7 +178,7 @@ int MAIN(int argc, char **argv)
 	const EVP_MD *md_alg=NULL,*digest=EVP_md5();
 	unsigned long chtype = MBSTRING_ASC;
 #ifndef MONOLITH
-	MS_STATIC char config_name[256];
+	char *to_free;
 	long errline;
 #endif
@@ -214,11 +212,13 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			outformat=str2fmt(*(++argv));
 			}
 #ifndef OPENSSL_NO_ENGINE
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 #endif
 		else if (strcmp(*argv,"-key") == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -322,64 +322,8 @@ int MAIN(int argc, char **argv)
 						}
 					}
 				BIO_free(in);
 				in=NULL;
 				newkey=BN_num_bits(dsa_params->p);
 				}
 			else 
 #endif
 #ifndef OPENSSL_NO_ECDSA
 				if (strncmp("ecdsa:",p,4) == 0)
 				{
 				X509 *xtmp=NULL;
 				EVP_PKEY *dtmp;
 				pkey_type=TYPE_ECDSA;
 				p+=6;
 				if ((in=BIO_new_file(p,"r")) == NULL)
 					{
 					perror(p);
 					goto end;
 					}
 				if ((ecdsa_params = ECDSA_new()) == NULL)
 					goto end;
 				if ((ecdsa_params->group = PEM_read_bio_ECPKParameters(in, NULL, NULL, NULL)) == NULL)
 					{
 					if (ecdsa_params)
 						ECDSA_free(ecdsa_params);
 					ERR_clear_error();
 					(void)BIO_reset(in);
 					if ((xtmp=PEM_read_bio_X509(in,NULL,NULL,NULL)) == NULL)
 						{	
 						BIO_printf(bio_err,"unable to load ECDSA parameters from file\n");
 						goto end;
 						}
 					if ((dtmp=X509_get_pubkey(xtmp)) == NULL) goto end;
 					if (dtmp->type == EVP_PKEY_ECDSA)
 						ecdsa_params = ECDSAParameters_dup(dtmp->pkey.ecdsa);
 					EVP_PKEY_free(dtmp);
 					X509_free(xtmp);
 					if (ecdsa_params == NULL)
 						{
 						BIO_printf(bio_err,"Certificate does not contain ECDSA parameters\n");
 						goto end;
 						}
 					}
 				BIO_free(in);
 				in=NULL;
 				{
 				BIGNUM *order = BN_new();
 				if (!order)
 					goto end;
 				if (!EC_GROUP_get_order(ecdsa_params->group, order, NULL))
 					goto end;
 				newkey = BN_num_bits(order);
 				BN_free(order);
 				}
 				}
 			else 
 #endif
@@ -416,6 +360,11 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			if (!set_name_ex(&nmflag, *(++argv))) goto bad;
 			}
 		else if (strcmp(*argv,"-reqopt") == 0)
 			{
 			if (--argc < 1) goto bad;
 			if (!set_cert_ex(&reqflag, *(++argv))) goto bad;
 			}
 		else if (strcmp(*argv,"-subject") == 0)
 			subject=1;
 		else if (strcmp(*argv,"-text") == 0)
@@ -483,7 +432,9 @@ bad:
 		BIO_printf(bio_err," -verify        verify signature on REQ\n");
 		BIO_printf(bio_err," -modulus       RSA modulus\n");
 		BIO_printf(bio_err," -nodes         don't encrypt the output key\n");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err," -engine e      use engine e, possibly a hardware device\n");
 #endif
 		BIO_printf(bio_err," -subject       output the request's subject\n");
 		BIO_printf(bio_err," -passin        private key password source\n");
 		BIO_printf(bio_err," -key file      use the private key contained in file\n");
@@ -494,7 +445,6 @@ bad:
 		BIO_printf(bio_err,"                the random number generator\n");
 		BIO_printf(bio_err," -newkey rsa:bits generate a new RSA key of 'bits' in size\n");
 		BIO_printf(bio_err," -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'\n");
 		BIO_printf(bio_err," -newkey ecdsa:file generate a new ECDSA key, parameters taken from CA in 'file'\n");
 		BIO_printf(bio_err," -[digest]      Digest to sign with (md5, sha1, md2, mdc2, md4)\n");
 		BIO_printf(bio_err," -config file   request template file.\n");
 		BIO_printf(bio_err," -subj arg      set or modify request subject\n");
@@ -510,6 +460,7 @@ bad:
 		BIO_printf(bio_err," -reqexts ..    specify request extension section (override value in config file)\n");
 		BIO_printf(bio_err," -utf8          input characters are UTF8 (default ASCII)\n");
 		BIO_printf(bio_err," -nameopt arg    - various certificate name options\n");
 		BIO_printf(bio_err," -reqopt arg    - various request text options\n\n");
 		goto end;
 		}
@@ -525,14 +476,7 @@ bad:
 	if (p == NULL)
 		p=getenv("SSLEAY_CONF");
 	if (p == NULL)
-		{
+		p=to_free=make_config_name();
 		strcpy(config_name,X509_get_default_cert_area());
 #ifndef OPENSSL_SYS_VMS
 		strcat(config_name,"/");
 #endif
 		strcat(config_name,OPENSSL_CONF);
 		p=config_name;
 		}
 	default_config_file=p;
 	config=NCONF_new(NULL);
 	i=NCONF_load(config, p, &errline);
@@ -540,7 +484,7 @@ bad:
 	if (template != NULL)
 		{
-		long errline;
+		long errline = -1;
 		if( verbose )
 			BIO_printf(bio_err,"Using configuration from %s\n",template);
@@ -679,11 +623,13 @@ bad:
 	if ((in == NULL) || (out == NULL))
 		goto end;
 #ifndef OPENSSL_NO_ENGINE
        e = setup_engine(bio_err, engine, 0);
 #endif
 	if (keyfile != NULL)
 		{
-		pkey = load_key(bio_err, keyfile, keyform, passin, e,
+		pkey = load_key(bio_err, keyfile, keyform, 0, passin, e,
 			"Private Key");
 		if (!pkey)
 			{
@@ -691,7 +637,7 @@ bad:
 			   message */
 			goto end;
 			}
-		if (EVP_PKEY_type(pkey->type) == EVP_PKEY_DSA || EVP_PKEY_type(pkey->type) == EVP_PKEY_ECDSA)
+		if (EVP_PKEY_type(pkey->type) == EVP_PKEY_DSA)
 			{
 			char *randfile = NCONF_get_string(req_conf,SECTION,"RANDFILE");
 			if (randfile == NULL)
@@ -715,15 +661,14 @@ bad:
 				newkey=DEFAULT_KEY_LENGTH;
 			}
-		if (newkey < MIN_KEY_LENGTH && (pkey_type == TYPE_RSA || pkey_type == TYPE_DSA))
+		if (newkey < MIN_KEY_LENGTH)
 		/* TODO: appropriate minimal keylength for the different algorithm (esp. ECDSA) */
 			{
 			BIO_printf(bio_err,"private key length is too short,\n");
 			BIO_printf(bio_err,"it needs to be at least %d bits, not %d\n",MIN_KEY_LENGTH,newkey);
 			goto end;
 			}
 		BIO_printf(bio_err,"Generating a %d bit %s private key\n",
-			newkey,(pkey_type == TYPE_RSA)?"RSA":(pkey_type == TYPE_DSA)?"DSA":"ECDSA");
+			newkey,(pkey_type == TYPE_RSA)?"RSA":"DSA");
 		if ((pkey=EVP_PKEY_new()) == NULL) goto end;
@@ -745,14 +690,6 @@ bad:
 			dsa_params=NULL;
 			}
 #endif
 #ifndef OPENSSL_NO_ECDSA
 			if (pkey_type == TYPE_ECDSA)
 			{
 			if (!ECDSA_generate_key(ecdsa_params)) goto end;
 			if (!EVP_PKEY_assign_ECDSA(pkey, ecdsa_params)) goto end;
 			ecdsa_params = NULL;
 			}
 #endif
 		app_RAND_write_file(randfile, bio_err);
@@ -858,10 +795,6 @@ loop:
 #ifndef OPENSSL_NO_DSA
 		if (pkey->type == EVP_PKEY_DSA)
 			digest=EVP_dss1();
 #endif
 #ifndef OPENSSL_NO_ECDSA
 		if (pkey->type == EVP_PKEY_ECDSA)
 			digest=EVP_ecdsa();
 #endif
 		if (req == NULL)
 			{
@@ -1055,9 +988,9 @@ loop:
 	if (text)
 		{
 		if (x509)
-			X509_print(out,x509ss);
+			X509_print_ex(out, x509ss, nmflag, reqflag);
 		else	
-			X509_REQ_print(out,req);
+			X509_REQ_print_ex(out, req, nmflag, reqflag);
 		}
 	if(subject) 
@@ -1127,6 +1060,10 @@ loop:
 		}
 	ex=0;
 end:
 #ifndef MONOLITH
 	if(to_free)
 		OPENSSL_free(to_free);
 #endif
 	if (ex)
 		{
 		ERR_print_errors(bio_err);
@@ -1143,12 +1080,9 @@ end:
 	OBJ_cleanup();
 #ifndef OPENSSL_NO_DSA
 	if (dsa_params != NULL) DSA_free(dsa_params);
 #endif
 #ifndef OPENSSL_NO_ECDSA
 	if (ecdsa_params != NULL) ECDSA_free(ecdsa_params);
 #endif
 	apps_shutdown();
-	EXIT(ex);
+	OPENSSL_EXIT(ex);
 	}
 static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int attribs,
@@ -1289,13 +1223,19 @@ start:		for (;;)
 				}
 			/* If OBJ not recognised ignore it */
 			if ((nid=OBJ_txt2nid(type)) == NID_undef) goto start;
 			if(strlen(v->name) > sizeof buf-9)
 			   {
 			   BIO_printf(bio_err,"Name '%s' too long\n",v->name);
 			   return 0;
 			   }
 			sprintf(buf,"%s_default",v->name);
 			if ((def=NCONF_get_string(req_conf,dn_sect,buf)) == NULL)
 				{
 				ERR_clear_error();
 				def="";
 				}
 			sprintf(buf,"%s_value",v->name);
 			if ((value=NCONF_get_string(req_conf,dn_sect,buf)) == NULL)
 				{
@@ -1305,11 +1245,17 @@ start:		for (;;)
 			sprintf(buf,"%s_min",v->name);
 			if (!NCONF_get_number(req_conf,dn_sect,buf, &n_min))
 				{
 				ERR_clear_error();
 				n_min = -1;
 				}
 			sprintf(buf,"%s_max",v->name);
 			if (!NCONF_get_number(req_conf,dn_sect,buf, &n_max))
 				{
 				ERR_clear_error();
 				n_max = -1;
 				}
 			if (!add_DN_object(subj,v->value,def,value,nid,
 				n_min,n_max, chtype))
@@ -1342,6 +1288,12 @@ start2:			for (;;)
 				if ((nid=OBJ_txt2nid(type)) == NID_undef)
 					goto start2;
 				if(strlen(v->name) > sizeof buf-9)
 				   {
 				   BIO_printf(bio_err,"Name '%s' too long\n",v->name);
 				   return 0;
 				   }
 				sprintf(buf,"%s_default",type);
 				if ((def=NCONF_get_string(req_conf,attr_sect,buf))
 					== NULL)
@@ -1445,6 +1397,7 @@ start:
 	(void)BIO_flush(bio_err);
 	if(value != NULL)
 		{
 		OPENSSL_assert(strlen(value) < sizeof buf-2);
 		strcpy(buf,value);
 		strcat(buf,"\n");
 		BIO_printf(bio_err,"%s\n",value);
@@ -1454,7 +1407,7 @@ start:
 		buf[0]='\0';
 		if (!batch)
 			{
-			fgets(buf,1024,stdin);
+			fgets(buf,sizeof buf,stdin);
 			}
 		else
 			{
@@ -1503,6 +1456,7 @@ start:
 	(void)BIO_flush(bio_err);
 	if (value != NULL)
 		{
 		OPENSSL_assert(strlen(value) < sizeof buf-2);
 		strcpy(buf,value);
 		strcat(buf,"\n");
 		BIO_printf(bio_err,"%s\n",value);
@@ -1512,7 +1466,7 @@ start:
 		buf[0]='\0';
 		if (!batch)
 			{
-			fgets(buf,1024,stdin);
+			fgets(buf,sizeof buf,stdin);
 			}
 		else
 			{
--- a/apps/rsa.c
+++ b/apps/rsa.c
@@ -104,7 +104,9 @@ int MAIN(int argc, char **argv)
 	char *infile,*outfile,*prog;
 	char *passargin = NULL, *passargout = NULL;
 	char *passin = NULL, *passout = NULL;
 #ifndef OPENSSL_NO_ENGINE
 	char *engine=NULL;
 #endif
 	int modulus=0;
 	apps_startup();
@@ -156,11 +158,13 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			passargout= *(++argv);
 			}
 #ifndef OPENSSL_NO_ENGINE
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 #endif
 		else if (strcmp(*argv,"-sgckey") == 0)
 			sgckey=1;
 		else if (strcmp(*argv,"-pubin") == 0)
@@ -212,13 +216,17 @@ bad:
 		BIO_printf(bio_err," -check          verify key consistency\n");
 		BIO_printf(bio_err," -pubin          expect a public key in input file\n");
 		BIO_printf(bio_err," -pubout         output a public key\n");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err," -engine e       use engine e, possibly a hardware device.\n");
 #endif
 		goto end;
 		}
 	ERR_load_crypto_strings();
 #ifndef OPENSSL_NO_ENGINE
        e = setup_engine(bio_err, engine, 0);
 #endif
 	if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
 		BIO_printf(bio_err, "Error getting passwords\n");
@@ -238,12 +246,12 @@ bad:
 		if (pubin)
 			pkey = load_pubkey(bio_err, infile,
 				(informat == FORMAT_NETSCAPE && sgckey ?
-					FORMAT_IISSGC : informat),
+					FORMAT_IISSGC : informat), 1,
 				passin, e, "Public Key");
 		else
 			pkey = load_key(bio_err, infile,
 				(informat == FORMAT_NETSCAPE && sgckey ?
-					FORMAT_IISSGC : informat),
+					FORMAT_IISSGC : informat), 1,
 				passin, e, "Private Key");
 		if (pkey != NULL)
@@ -369,7 +377,7 @@ end:
 	if(passin) OPENSSL_free(passin);
 	if(passout) OPENSSL_free(passout);
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 #else /* !OPENSSL_NO_RSA */
--- a/apps/rsautl.c
+++ b/apps/rsautl.c
@@ -85,7 +85,9 @@ int MAIN(int argc, char **argv)
 	ENGINE *e = NULL;
 	BIO *in = NULL, *out = NULL;
 	char *infile = NULL, *outfile = NULL;
 #ifndef OPENSSL_NO_ENGINE
 	char *engine = NULL;
 #endif
 	char *keyfile = NULL;
 	char rsa_mode = RSA_VERIFY, key_type = KEY_PRIVKEY;
 	int keyform = FORMAT_PEM;
@@ -125,9 +127,11 @@ int MAIN(int argc, char **argv)
 		} else if (strcmp(*argv,"-keyform") == 0) {
 			if (--argc < 1) badarg = 1;
 			keyform=str2fmt(*(++argv));
 #ifndef OPENSSL_NO_ENGINE
 		} else if(!strcmp(*argv, "-engine")) {
 			if (--argc < 1) badarg = 1;
 			engine = *(++argv);
 #endif
 		} else if(!strcmp(*argv, "-pubin")) {
 			key_type = KEY_PUBKEY;
 		} else if(!strcmp(*argv, "-certin")) {
@@ -162,19 +166,21 @@ int MAIN(int argc, char **argv)
 		goto end;
 	}
 #ifndef OPENSSL_NO_ENGINE
        e = setup_engine(bio_err, engine, 0);
 #endif
 /* FIXME: seed PRNG only if needed */
 	app_RAND_load_file(NULL, bio_err, 0);
 	switch(key_type) {
 		case KEY_PRIVKEY:
-		pkey = load_key(bio_err, keyfile, keyform,
+		pkey = load_key(bio_err, keyfile, keyform, 0,
 			NULL, e, "Private Key");
 		break;
 		case KEY_PUBKEY:
-		pkey = load_pubkey(bio_err, keyfile, keyform,
+		pkey = load_pubkey(bio_err, keyfile, keyform, 0,
 			NULL, e, "Public Key");
 		break;
@@ -305,7 +311,9 @@ static void usage()
 	BIO_printf(bio_err, "-encrypt        encrypt with public key\n");
 	BIO_printf(bio_err, "-decrypt        decrypt with private key\n");
 	BIO_printf(bio_err, "-hexdump        hex dump output\n");
 #ifndef OPENSSL_NO_ENGINE
 	BIO_printf(bio_err, "-engine e       use engine e, possibly a hardware device.\n");
 #endif
 }
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -134,7 +134,7 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
 	err=	X509_STORE_CTX_get_error(ctx);
 	depth=	X509_STORE_CTX_get_error_depth(ctx);
-	X509_NAME_oneline(X509_get_subject_name(err_cert),buf,256);
+	X509_NAME_oneline(X509_get_subject_name(err_cert),buf,sizeof buf);
 	BIO_printf(bio_err,"depth=%d %s\n",depth,buf);
 	if (!ok)
 		{
@@ -154,7 +154,7 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
 	switch (ctx->error)
 		{
 	case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
-		X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),buf,256);
+		X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),buf,sizeof buf);
 		BIO_printf(bio_err,"issuer= %s\n",buf);
 		break;
 	case X509_V_ERR_CERT_NOT_YET_VALID:
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -140,6 +140,14 @@ typedef unsigned int u_int;
 #include <conio.h>
 #endif
 #ifdef OPENSSL_SYS_WINCE
 /* Windows CE incorrectly defines fileno as returning void*, so to avoid problems below... */
 #ifdef fileno
 #undef fileno
 #endif
 #define fileno(a) (int)_fileno(a)
 #endif
 #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
 /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
@@ -214,7 +222,9 @@ static void sc_usage(void)
 	BIO_printf(bio_err,"                 for those protocols that support it, where\n");
 	BIO_printf(bio_err,"                 'prot' defines which one to assume.  Currently,\n");
 	BIO_printf(bio_err,"                 only \"smtp\" is supported.\n");
 #ifndef OPENSSL_NO_ENGINE
 	BIO_printf(bio_err," -engine id    - Initialise and use the specified engine\n");
 #endif
 	BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 	}
@@ -246,8 +256,10 @@ int MAIN(int argc, char **argv)
 	SSL_METHOD *meth=NULL;
 	BIO *sbio;
 	char *inrand=NULL;
 #ifndef OPENSSL_NO_ENGINE
 	char *engine_id=NULL;
 	ENGINE *e=NULL;
 #endif
 #ifdef OPENSSL_SYS_WINDOWS
 	struct timeval tv;
 #endif
@@ -407,11 +419,13 @@ int MAIN(int argc, char **argv)
 			else
 				goto bad;
 			}
 #ifndef OPENSSL_NO_ENGINE
 		else if	(strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine_id = *(++argv);
 			}
 #endif
 		else if (strcmp(*argv,"-rand") == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -436,7 +450,9 @@ bad:
 	OpenSSL_add_ssl_algorithms();
 	SSL_load_error_strings();
 #ifndef OPENSSL_NO_ENGINE
        e = setup_engine(bio_err, engine_id, 1);
 #endif
 	if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
 		&& !RAND_status())
@@ -662,7 +678,11 @@ re_start:
 					tv.tv_usec = 0;
 					i=select(width,(void *)&readfds,(void *)&writefds,
 						 NULL,&tv);
 #ifdef OPENSSL_SYS_WINCE
 					if(!i && (!_kbhit() || !read_tty) ) continue;
 #else
 					if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;
 #endif
 				} else 	i=select(width,(void *)&readfds,(void *)&writefds,
 					 NULL,NULL);
 			}
@@ -746,8 +766,8 @@ re_start:
 				goto shut;
 				}
 			}
-#ifdef OPENSSL_SYS_WINDOWS
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
-		/* Assume Windows can always write */
+		/* Assume Windows/DOS can always write */
 		else if (!ssl_pending && write_tty)
 #else
 		else if (!ssl_pending && FD_ISSET(fileno(stdout),&writefds))
@@ -828,7 +848,11 @@ printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240
 			}
 #ifdef OPENSSL_SYS_WINDOWS
 #ifdef OPENSSL_SYS_WINCE
 		else if (_kbhit())
 #else
 		else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
 #endif
 #else
 		else if (FD_ISSET(fileno(stdin),&readfds))
 #endif
@@ -892,16 +916,16 @@ end:
 	if (con != NULL) SSL_free(con);
 	if (con2 != NULL) SSL_free(con2);
 	if (ctx != NULL) SSL_CTX_free(ctx);
-	if (cbuf != NULL) { memset(cbuf,0,BUFSIZZ); OPENSSL_free(cbuf); }
+	if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); }
-	if (sbuf != NULL) { memset(sbuf,0,BUFSIZZ); OPENSSL_free(sbuf); }
+	if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); }
-	if (mbuf != NULL) { memset(mbuf,0,BUFSIZZ); OPENSSL_free(mbuf); }
+	if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); }
 	if (bio_c_out != NULL)
 		{
 		BIO_free(bio_c_out);
 		bio_c_out=NULL;
 		}
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
@@ -930,10 +954,10 @@ static void print_stuff(BIO *bio, SSL *s, int full)
 			for (i=0; i<sk_X509_num(sk); i++)
 				{
 				X509_NAME_oneline(X509_get_subject_name(
-					sk_X509_value(sk,i)),buf,BUFSIZ);
+					sk_X509_value(sk,i)),buf,sizeof buf);
 				BIO_printf(bio,"%2d s:%s\n",i,buf);
 				X509_NAME_oneline(X509_get_issuer_name(
-					sk_X509_value(sk,i)),buf,BUFSIZ);
+					sk_X509_value(sk,i)),buf,sizeof buf);
 				BIO_printf(bio,"   i:%s\n",buf);
 				if (c_showcerts)
 					PEM_write_bio_X509(bio,sk_X509_value(sk,i));
@@ -948,10 +972,10 @@ static void print_stuff(BIO *bio, SSL *s, int full)
 			if (!(c_showcerts && got_a_chain)) /* Redundant if we showed the whole chain */
 				PEM_write_bio_X509(bio,peer);
 			X509_NAME_oneline(X509_get_subject_name(peer),
-				buf,BUFSIZ);
+				buf,sizeof buf);
 			BIO_printf(bio,"subject=%s\n",buf);
 			X509_NAME_oneline(X509_get_issuer_name(peer),
-				buf,BUFSIZ);
+				buf,sizeof buf);
 			BIO_printf(bio,"issuer=%s\n",buf);
 			}
 		else
@@ -973,7 +997,7 @@ static void print_stuff(BIO *bio, SSL *s, int full)
 			{
 			BIO_printf(bio,"---\nNo client certificate CA names sent\n");
 			}
-		p=SSL_get_shared_ciphers(s,buf,BUFSIZ);
+		p=SSL_get_shared_ciphers(s,buf,sizeof buf);
 		if (p != NULL)
 			{
 			/* This works only for SSL 2.  In later protocol
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -144,6 +144,14 @@ typedef unsigned int u_int;
 #include <conio.h>
 #endif
 #ifdef OPENSSL_SYS_WINCE
 /* Windows CE incorrectly defines fileno as returning void*, so to avoid problems below... */
 #ifdef fileno
 #undef fileno
 #endif
 #define fileno(a) (int)_fileno(a)
 #endif
 #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
 /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
 #undef FIONBIO
@@ -234,7 +242,9 @@ static int s_msg=0;
 static int s_quiet=0;
 static int hack=0;
 #ifndef OPENSSL_NO_ENGINE
 static char *engine_id=NULL;
 #endif
 static const char *session_id_prefix=NULL;
 #ifdef MONOLITH
@@ -259,7 +269,9 @@ static void s_server_init(void)
 	s_msg=0;
 	s_quiet=0;
 	hack=0;
 #ifndef OPENSSL_NO_ENGINE
 	engine_id=NULL;
 #endif
 	}
 #endif
@@ -308,7 +320,9 @@ static void sv_usage(void)
 	BIO_printf(bio_err," -WWW          - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n");
 	BIO_printf(bio_err," -HTTP         - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n");
        BIO_printf(bio_err,"                 with the assumption it contains a complete HTTP response.\n");
 #ifndef OPENSSL_NO_ENGINE
 	BIO_printf(bio_err," -engine id    - Initialise and use the specified engine\n");
 #endif
 	BIO_printf(bio_err," -id_prefix arg - Generate SSL/TLS session IDs prefixed by 'arg'\n");
 	BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 	}
@@ -320,10 +334,10 @@ static char **local_argv;
 static int ebcdic_new(BIO *bi);
 static int ebcdic_free(BIO *a);
 static int ebcdic_read(BIO *b, char *out, int outl);
-static int ebcdic_write(BIO *b, char *in, int inl);
+static int ebcdic_write(BIO *b, const char *in, int inl);
-static long ebcdic_ctrl(BIO *b, int cmd, long num, char *ptr);
+static long ebcdic_ctrl(BIO *b, int cmd, long num, void *ptr);
 static int ebcdic_gets(BIO *bp, char *buf, int size);
-static int ebcdic_puts(BIO *bp, char *str);
+static int ebcdic_puts(BIO *bp, const char *str);
 #define BIO_TYPE_EBCDIC_FILTER	(18|0x0200)
 static BIO_METHOD methods_ebcdic=
@@ -388,7 +402,7 @@ static int ebcdic_read(BIO *b, char *out, int outl)
 	return(ret);
 }
-static int ebcdic_write(BIO *b, char *in, int inl)
+static int ebcdic_write(BIO *b, const char *in, int inl)
 {
 	EBCDIC_OUTBUFF *wbuf;
 	int ret=0;
@@ -421,7 +435,7 @@ static int ebcdic_write(BIO *b, char *in, int inl)
 	return(ret);
 }
-static long ebcdic_ctrl(BIO *b, int cmd, long num, char *ptr)
+static long ebcdic_ctrl(BIO *b, int cmd, long num, void *ptr)
 {
 	long ret;
@@ -440,7 +454,7 @@ static long ebcdic_ctrl(BIO *b, int cmd, long num, char *ptr)
 static int ebcdic_gets(BIO *bp, char *buf, int size)
 {
-	int i, ret;
+	int i, ret=0;
 	if (bp->next_bio == NULL) return(0);
 /*	return(BIO_gets(bp->next_bio,buf,size));*/
 	for (i=0; i<size-1; ++i)
@@ -459,7 +473,7 @@ static int ebcdic_gets(BIO *bp, char *buf, int size)
 	return (ret < 0 && i == 0) ? ret : i;
 }
-static int ebcdic_puts(BIO *bp, char *str)
+static int ebcdic_puts(BIO *bp, const char *str)
 {
 	if (bp->next_bio == NULL) return(0);
 	return ebcdic_write(bp, str, strlen(str));
@@ -482,7 +496,9 @@ int MAIN(int argc, char *argv[])
 	int no_tmp_rsa=0,no_dhe=0,nocert=0;
 	int state=0;
 	SSL_METHOD *meth=NULL;
 #ifndef OPENSSL_NO_ENGINE
 	ENGINE *e=NULL;
 #endif
 	char *inrand=NULL;
 #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
@@ -657,11 +673,13 @@ int MAIN(int argc, char *argv[])
 			if (--argc < 1) goto bad;
 			session_id_prefix = *(++argv);
 			}
 #ifndef OPENSSL_NO_ENGINE
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine_id= *(++argv);
 			}
 #endif
 		else if (strcmp(*argv,"-rand") == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -686,7 +704,9 @@ bad:
 	SSL_load_error_strings();
 	OpenSSL_add_ssl_algorithms();
 #ifndef OPENSSL_NO_ENGINE
        e = setup_engine(bio_err, engine_id, 1);
 #endif
 	if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
 		&& !RAND_status())
@@ -710,7 +730,7 @@ bad:
 			}
 		}
-#if !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA)
+#if !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_DSA)
 	if (nocert)
 #endif
 		{
@@ -860,7 +880,7 @@ end:
 		bio_s_out=NULL;
 		}
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 static void print_stats(BIO *bio, SSL_CTX *ssl_ctx)
@@ -1176,7 +1196,7 @@ err:
 	BIO_printf(bio_s_out,"CONNECTION CLOSED\n");
 	if (buf != NULL)
 		{
-		memset(buf,0,bufsize);
+		OPENSSL_cleanse(buf,bufsize);
 		OPENSSL_free(buf);
 		}
 	if (ret >= 0)
@@ -1228,14 +1248,14 @@ static int init_ssl_connection(SSL *con)
 		{
 		BIO_printf(bio_s_out,"Client certificate\n");
 		PEM_write_bio_X509(bio_s_out,peer);
-		X509_NAME_oneline(X509_get_subject_name(peer),buf,BUFSIZ);
+		X509_NAME_oneline(X509_get_subject_name(peer),buf,sizeof buf);
 		BIO_printf(bio_s_out,"subject=%s\n",buf);
-		X509_NAME_oneline(X509_get_issuer_name(peer),buf,BUFSIZ);
+		X509_NAME_oneline(X509_get_issuer_name(peer),buf,sizeof buf);
 		BIO_printf(bio_s_out,"issuer=%s\n",buf);
 		X509_free(peer);
 		}
-	if (SSL_get_shared_ciphers(con,buf,BUFSIZ) != NULL)
+	if (SSL_get_shared_ciphers(con,buf,sizeof buf) != NULL)
 		BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf);
 	str=SSL_CIPHER_get_name(SSL_get_current_cipher(con));
 	BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)");
@@ -1395,7 +1415,7 @@ static int www_body(char *hostname, int s, unsigned char *context)
 			else
 				{
 				BIO_printf(bio_s_out,"read R BLOCK\n");
-#ifndef OPENSSL_SYS_MSDOS
+#if !defined(OPENSSL_SYS_MSDOS) && !defined(__DJGPP__)
 				sleep(1);
 #endif
 				continue;
--- a/apps/s_socket.c
+++ b/apps/s_socket.c
@@ -83,9 +83,9 @@ typedef unsigned int u_int;
 static struct hostent *GetHostByName(char *name);
 #ifdef OPENSSL_SYS_WINDOWS
-static void sock_cleanup(void);
+static void ssl_sock_cleanup(void);
 #endif
-static int sock_init(void);
+static int ssl_sock_init(void);
 static int init_client_ip(int *sock,unsigned char ip[4], int port);
 static int init_server(int *sock, int port);
 static int init_server_long(int *sock, int port,char *ip);
@@ -118,7 +118,7 @@ static LONG FAR PASCAL topHookProc(HWND hwnd, UINT message, WPARAM wParam,
 		case WM_DESTROY:
 		case WM_CLOSE:
 			SetWindowLong(topWnd,GWL_WNDPROC,(LONG)lpTopWndProc);
-			sock_cleanup();
+			ssl_sock_cleanup();
 			break;
 			}
 		}
@@ -135,26 +135,34 @@ static BOOL CALLBACK enumproc(HWND hwnd,LPARAM lParam)
 #endif /* OPENSSL_SYS_WINDOWS */
 #ifdef OPENSSL_SYS_WINDOWS
-static void sock_cleanup(void)
+static void ssl_sock_cleanup(void)
 	{
 	if (wsa_init_done)
 		{
 		wsa_init_done=0;
 #ifndef OPENSSL_SYS_WINCE
 		WSACancelBlockingCall();
 #endif
 		WSACleanup();
 		}
 	}
 #endif
-static int sock_init(void)
+static int ssl_sock_init(void)
 	{
-#ifdef OPENSSL_SYS_WINDOWS
+#ifdef WATT32
 	extern int _watt_do_exit;
 	_watt_do_exit = 0;
 	dbug_init();
 	if (sock_init())
 		return (0);
 #elif defined(OPENSSL_SYS_WINDOWS)
 	if (!wsa_init_done)
 		{
 		int err;
 #ifdef SIGINT
-		signal(SIGINT,(void (*)(int))sock_cleanup);
+		signal(SIGINT,(void (*)(int))ssl_sock_cleanup);
 #endif
 		wsa_init_done=1;
 		memset(&wsa_state,0,sizeof(wsa_state));
@@ -196,7 +204,7 @@ static int init_client_ip(int *sock, unsigned char ip[4], int port)
 	struct sockaddr_in them;
 	int s,i;
-	if (!sock_init()) return(0);
+	if (!ssl_sock_init()) return(0);
 	memset((char *)&them,0,sizeof(them));
 	them.sin_family=AF_INET;
@@ -261,7 +269,7 @@ static int init_server_long(int *sock, int port, char *ip)
 	struct sockaddr_in server;
 	int s= -1,i;
-	if (!sock_init()) return(0);
+	if (!ssl_sock_init()) return(0);
 	memset((char *)&server,0,sizeof(server));
 	server.sin_family=AF_INET;
@@ -318,7 +326,7 @@ static int do_accept(int acc_sock, int *sock, char **host)
 	int len;
 /*	struct linger ling; */
-	if (!sock_init()) return(0);
+	if (!ssl_sock_init()) return(0);
 #ifndef OPENSSL_SYS_WINDOWS
 redoit:
@@ -448,7 +456,7 @@ static int host_ip(char *str, unsigned char ip[4])
 		{ /* do a gethostbyname */
 		struct hostent *he;
-		if (!sock_init()) return(0);
+		if (!ssl_sock_init()) return(0);
 		he=GetHostByName(str);
 		if (he == NULL)
@@ -529,9 +537,12 @@ static struct hostent *GetHostByName(char *name)
 		ret=gethostbyname(name);
 		if (ret == NULL) return(NULL);
 		/* else add to cache */
-		strncpy(ghbn_cache[lowi].name,name,128);
+		if(strlen(name) < sizeof ghbn_cache[0].name)
 			{
 			strcpy(ghbn_cache[lowi].name,name);
 			memcpy((char *)&(ghbn_cache[lowi].ent),ret,sizeof(struct hostent));
 			ghbn_cache[lowi].order=ghbn_miss+ghbn_hits;
 			}
 		return(ret);
 		}
 	else
--- a/apps/s_time.c
+++ b/apps/s_time.c
@@ -146,6 +146,8 @@
 #undef BUFSIZZ
 #define BUFSIZZ 1024*10
 #define MYBUFSIZ 1024*8
 #undef min
 #undef max
 #define min(a,b) (((a) < (b)) ? (a) : (b))
@@ -320,6 +322,11 @@ static int parseArgs(int argc, char **argv)
 		{
 		if (--argc < 1) goto bad;
 		s_www_path= *(++argv);
 		if(strlen(s_www_path) > MYBUFSIZ-100)
 			{
 			BIO_printf(bio_err,"-www option too long\n");
 			badop=1;
 			}
 		}
 	else if(strcmp(*argv,"-bugs") == 0)
 	    st_bugs=1;
@@ -480,7 +487,7 @@ int MAIN(int argc, char **argv)
 	tm_Time_F(START);
 	for (;;)
 		{
-		if (finishtime < time(NULL)) break;
+		if (finishtime < (long)time(NULL)) break;
 #ifdef WIN32_STUFF
 		if( flushWinMsgs(0) == -1 )
@@ -531,9 +538,9 @@ int MAIN(int argc, char **argv)
 		}
 	totalTime += tm_Time_F(STOP); /* Add the time for this iteration */
-	i=(int)(time(NULL)-finishtime+maxTime);
+	i=(int)((long)time(NULL)-finishtime+maxTime);
 	printf( "\n\n%d connections in %.2fs; %.2f connections/user sec, bytes read %ld\n", nConn, totalTime, ((double)nConn/totalTime),bytes_read);
-	printf( "%d connections in %ld real seconds, %ld bytes read per connection\n",nConn,time(NULL)-finishtime+maxTime,bytes_read/nConn);
+	printf( "%d connections in %ld real seconds, %ld bytes read per connection\n",nConn,(long)time(NULL)-finishtime+maxTime,bytes_read/nConn);
 	/* Now loop and time connections using the same session id over and over */
@@ -565,7 +572,7 @@ next:
 	nConn = 0;
 	totalTime = 0.0;
-	finishtime=time(NULL)+maxTime;
+	finishtime=(long)time(NULL)+maxTime;
 	printf( "starting\n" );
 	bytes_read=0;
@@ -573,7 +580,7 @@ next:
 	for (;;)
 		{
-		if (finishtime < time(NULL)) break;
+		if (finishtime < (long)time(NULL)) break;
 #ifdef WIN32_STUFF
 		if( flushWinMsgs(0) == -1 )
@@ -623,7 +630,7 @@ next:
 	printf( "\n\n%d connections in %.2fs; %.2f connections/user sec, bytes read %ld\n", nConn, totalTime, ((double)nConn/totalTime),bytes_read);
-	printf( "%d connections in %ld real seconds, %ld bytes read per connection\n",nConn,time(NULL)-finishtime+maxTime,bytes_read/nConn);
+	printf( "%d connections in %ld real seconds, %ld bytes read per connection\n",nConn,(long)time(NULL)-finishtime+maxTime,bytes_read/nConn);
 	ret=0;
 end:
@@ -635,7 +642,7 @@ end:
 		tm_ctx=NULL;
 		}
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 /***********************************************************************
--- a/apps/sess_id.c
+++ b/apps/sess_id.c
@@ -273,7 +273,7 @@ end:
 	if (out != NULL) BIO_free_all(out);
 	if (x != NULL) SSL_SESSION_free(x);
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 static SSL_SESSION *load_sess_id(char *infile, int format)
--- a/apps/smime.c
+++ b/apps/smime.c
@@ -104,7 +104,9 @@ int MAIN(int argc, char **argv)
 	int need_rand = 0;
 	int informat = FORMAT_SMIME, outformat = FORMAT_SMIME;
        int keyform = FORMAT_PEM;
 #ifndef OPENSSL_NO_ENGINE
 	char *engine=NULL;
 #endif
 	args = argv + 1;
 	ret = 1;
@@ -176,11 +178,13 @@ int MAIN(int argc, char **argv)
 				inrand = *args;
 			} else badarg = 1;
 			need_rand = 1;
 #ifndef OPENSSL_NO_ENGINE
 		} else if (!strcmp(*args,"-engine")) {
 			if (args[1]) {
 				args++;
 				engine = *args;
 			} else badarg = 1;
 #endif
 		} else if (!strcmp(*args,"-passin")) {
 			if (args[1]) {
 				args++;
@@ -330,7 +334,9 @@ int MAIN(int argc, char **argv)
 		BIO_printf (bio_err, "-CAfile file   trusted certificates file\n");
 		BIO_printf (bio_err, "-crl_check     check revocation status of signer's certificate using CRLs\n");
 		BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf (bio_err, "-engine e      use engine e, possibly a hardware device.\n");
 #endif
 		BIO_printf (bio_err, "-passin arg    input file pass phrase source\n");
 		BIO_printf(bio_err,  "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 		BIO_printf(bio_err,  "               load the file (or the files in the directory) into\n");
@@ -339,7 +345,9 @@ int MAIN(int argc, char **argv)
 		goto end;
 	}
 #ifndef OPENSSL_NO_ENGINE
        e = setup_engine(bio_err, engine, 0);
 #endif
 	if(!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
 		BIO_printf(bio_err, "Error getting password\n");
@@ -428,7 +436,7 @@ int MAIN(int argc, char **argv)
 	} else keyfile = NULL;
 	if(keyfile) {
-		key = load_key(bio_err, keyfile, keyform, passin, e,
+		key = load_key(bio_err, keyfile, keyform, 0, passin, e,
 			       "signing key file");
 		if (!key) {
 			goto end;
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -58,6 +58,8 @@
 /* most of this code has been pilfered from my libdes speed.c program */
 #ifndef OPENSSL_NO_SPEED
 #undef SECONDS
 #define SECONDS		3	
 #define RSA_SECONDS	10
@@ -187,7 +189,8 @@
 /* The following if from times(3) man page.  It may need to be changed */
 #ifndef HZ
-# ifdef _SC_CLK_TCK
+# if defined(_SC_CLK_TCK) \
     && (!defined(OPENSSL_SYS_VMS) || __CTRL_VER >= 70000000)
 #  define HZ ((double)sysconf(_SC_CLK_TCK))
 # else
 #  ifndef CLK_TCK
@@ -369,7 +372,9 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 #ifndef OPENSSL_NO_ENGINE
 	ENGINE *e = NULL;
 #endif
 	unsigned char *buf=NULL,*buf2=NULL;
 	int mret=1;
 	long count=0,save_count=0;
@@ -589,6 +594,7 @@ int MAIN(int argc, char **argv)
 			j--;	/* Otherwise, -elapsed gets confused with
 				   an algorithm. */
 			}
 #ifndef OPENSSL_NO_ENGINE
 		else if	((argc > 0) && (strcmp(*argv,"-engine") == 0))
 			{
 			argc--;
@@ -605,6 +611,7 @@ int MAIN(int argc, char **argv)
 			   means all of them should be run) */
 			j--;
 			}
 #endif
 #ifdef HAVE_FORK
 		else if	((argc > 0) && (strcmp(*argv,"-multi") == 0))
 			{
@@ -861,10 +868,12 @@ int MAIN(int argc, char **argv)
 			BIO_printf(bio_err,"\n");
 			BIO_printf(bio_err,"Available options:\n");
-#ifdef TIMES
+#if defined(TIMES) || defined(USE_TOD)
 			BIO_printf(bio_err,"-elapsed        measure time in real time instead of CPU user time.\n");
 #endif
 #ifndef OPENSSL_NO_ENGINE
 			BIO_printf(bio_err,"-engine e       use engine e, possibly a hardware device.\n");
 #endif
 			BIO_printf(bio_err,"-evp e          use EVP e.\n");
 			BIO_printf(bio_err,"-decrypt        time decryption instead of encryption (only EVP).\n");
 			BIO_printf(bio_err,"-mr             produce machine readable output.\n");
@@ -1392,6 +1401,7 @@ int MAIN(int argc, char **argv)
 				else
 					EVP_EncryptFinal_ex(&ctx,buf,&outl);
 				d=Time_F(STOP);
 				EVP_CIPHER_CTX_cleanup(&ctx);
 				}
 			if (evp_md)
 				{
@@ -1728,7 +1738,7 @@ end:
 			DSA_free(dsa_key[i]);
 #endif
 	apps_shutdown();
-	EXIT(mret);
+	OPENSSL_EXIT(mret);
 	}
 static void print_message(const char *s, long num, int length)
@@ -1781,7 +1791,7 @@ static char *sstrsep(char **string, const char *delim)
    if (**string == 0)
        return NULL;
-    memset(isdelim, 0, 256);
+    memset(isdelim, 0, sizeof isdelim);
    isdelim[0] = 1;
    while (*delim)
@@ -1938,3 +1948,4 @@ static int do_multi(int multi)
 	return 1;
 	}
 #endif
 #endif
--- a/apps/spkac.c
+++ b/apps/spkac.c
@@ -92,7 +92,9 @@ int MAIN(int argc, char **argv)
 	CONF *conf = NULL;
 	NETSCAPE_SPKI *spki = NULL;
 	EVP_PKEY *pkey = NULL;
 #ifndef OPENSSL_NO_ENGINE
 	char *engine=NULL;
 #endif
 	apps_startup();
@@ -141,11 +143,13 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			spksect= *(++argv);
 			}
 #ifndef OPENSSL_NO_ENGINE
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 #endif
 		else if (strcmp(*argv,"-noout") == 0)
 			noout=1;
 		else if (strcmp(*argv,"-pubkey") == 0)
@@ -171,7 +175,9 @@ bad:
 		BIO_printf(bio_err," -noout         don't print SPKAC\n");
 		BIO_printf(bio_err," -pubkey        output public key\n");
 		BIO_printf(bio_err," -verify        verify SPKAC signature\n");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err," -engine e      use engine e, possibly a hardware device.\n");
 #endif
 		goto end;
 		}
@@ -181,12 +187,14 @@ bad:
 		goto end;
 	}
 #ifndef OPENSSL_NO_ENGINE
        e = setup_engine(bio_err, engine, 0);
 #endif
 	if(keyfile) {
 		pkey = load_key(bio_err,
 				strcmp(keyfile, "-") ? keyfile : NULL,
-				FORMAT_PEM, passin, e, "private key");
+				FORMAT_PEM, 1, passin, e, "private key");
 		if(!pkey) {
 			goto end;
 		}
@@ -295,5 +303,5 @@ end:
 	EVP_PKEY_free(pkey);
 	if(passin) OPENSSL_free(passin);
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
--- a/apps/verify.c
+++ b/apps/verify.c
@@ -86,7 +86,9 @@ int MAIN(int argc, char **argv)
 	STACK_OF(X509) *untrusted = NULL, *trusted = NULL;
 	X509_STORE *cert_ctx=NULL;
 	X509_LOOKUP *lookup=NULL;
 #ifndef OPENSSL_NO_ENGINE
 	char *engine=NULL;
 #endif
 	cert_ctx=X509_STORE_new();
 	if (cert_ctx == NULL) goto end;
@@ -142,11 +144,13 @@ int MAIN(int argc, char **argv)
 				if (argc-- < 1) goto end;
 				trustfile= *(++argv);
 				}
 #ifndef OPENSSL_NO_ENGINE
 			else if (strcmp(*argv,"-engine") == 0)
 				{
 				if (--argc < 1) goto end;
 				engine= *(++argv);
 				}
 #endif
 			else if (strcmp(*argv,"-help") == 0)
 				goto end;
 			else if (strcmp(*argv,"-ignore_critical") == 0)
@@ -170,7 +174,9 @@ int MAIN(int argc, char **argv)
 			break;
 		}
 #ifndef OPENSSL_NO_ENGINE
        e = setup_engine(bio_err, engine, 0);
 #endif
 	lookup=X509_STORE_add_lookup(cert_ctx,X509_LOOKUP_file());
 	if (lookup == NULL) abort();
@@ -219,7 +225,11 @@ int MAIN(int argc, char **argv)
 	ret=0;
 end:
 	if (ret == 1) {
-		BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-engine e] cert1 cert2 ...\n");
+		BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err," [-engine e]");
 #endif
 		BIO_printf(bio_err," cert1 cert2 ...\n");
 		BIO_printf(bio_err,"recognized usages:\n");
 		for(i = 0; i < X509_PURPOSE_get_count(); i++) {
 			X509_PURPOSE *ptmp;
@@ -232,7 +242,7 @@ end:
 	sk_X509_pop_free(untrusted, X509_free);
 	sk_X509_pop_free(trusted, X509_free);
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 static int check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain, STACK_OF(X509) *tchain, int purpose, ENGINE *e)
@@ -330,7 +340,8 @@ static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx)
 	if (!ok)
 		{
 		X509_NAME_oneline(
-				X509_get_subject_name(ctx->current_cert),buf,256);
+				X509_get_subject_name(ctx->current_cert),buf,
 				sizeof buf);
 		printf("%s\n",buf);
 		printf("error %d at %d depth lookup:%s\n",ctx->error,
 			ctx->error_depth,
--- a/apps/version.c
+++ b/apps/version.c
@@ -200,5 +200,5 @@ int MAIN(int argc, char **argv)
 	if (dir)  printf("%s\n",SSLeay_version(SSLEAY_DIR));
 end:
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
--- a/apps/winrand.c
+++ b/apps/winrand.c
@@ -118,7 +118,6 @@ LRESULT CALLBACK WndProc(HWND hwnd, UINT iMsg, WPARAM wParam, LPARAM lParam)
        HDC hdc;
 	PAINTSTRUCT ps;
        RECT rect;
        char buffer[200];
        static int seeded = 0;
 	switch (iMsg)
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -122,7 +122,7 @@ static char *x509_usage[]={
 " -CAkey arg      - set the CA key, must be PEM format\n",
 "                   missing, it is assumed to be in the CA file.\n",
 " -CAcreateserial - create serial number file if it does not exist\n",
-" -CAserial       - serial file\n",
+" -CAserial arg   - serial file\n",
 " -set_serial     - serial number to use\n",
 " -text           - print the certificate in text form\n",
 " -C              - print out C code forms\n",
@@ -131,7 +131,9 @@ static char *x509_usage[]={
 " -extensions     - section from config file with X509V3 extensions to add\n",
 " -clrext         - delete extensions before signing and input certificate\n",
 " -nameopt arg    - various certificate name options\n",
 #ifndef OPENSSL_NO_ENGINE
 " -engine e       - use engine e, possibly a hardware device.\n",
 #endif
 " -certopt arg    - various certificate text options\n",
 NULL
 };
@@ -183,7 +185,9 @@ int MAIN(int argc, char **argv)
 	int need_rand = 0;
 	int checkend=0,checkoffset=0;
 	unsigned long nmflag = 0, certflag = 0;
 #ifndef OPENSSL_NO_ENGINE
 	char *engine=NULL;
 #endif
 	reqfile=0;
@@ -360,11 +364,13 @@ int MAIN(int argc, char **argv)
 			alias= *(++argv);
 			trustout = 1;
 			}
 #ifndef OPENSSL_NO_ENGINE
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 #endif
 		else if (strcmp(*argv,"-C") == 0)
 			C= ++num;
 		else if (strcmp(*argv,"-email") == 0)
@@ -450,7 +456,9 @@ bad:
 		goto end;
 		}
 #ifndef OPENSSL_NO_ENGINE
        e = setup_engine(bio_err, engine, 0);
 #endif
 	if (need_rand)
 		app_RAND_load_file(NULL, bio_err, 0);
@@ -479,7 +487,7 @@ bad:
 	if (extfile)
 		{
-		long errorline;
+		long errorline = -1;
 		X509V3_CTX ctx2;
 		extconf = NCONF_new(NULL);
 		if (!NCONF_load(extconf, extfile,&errorline))
@@ -770,10 +778,11 @@ bad:
 				int y,z;
 				X509_NAME_oneline(X509_get_subject_name(x),
-					buf,256);
+					buf,sizeof buf);
 				BIO_printf(STDout,"/* subject:%s */\n",buf);
 				m=X509_NAME_oneline(
-					X509_get_issuer_name(x),buf,256);
+					X509_get_issuer_name(x),buf,
 					sizeof buf);
 				BIO_printf(STDout,"/* issuer :%s */\n",buf);
 				z=i2d_X509(x,NULL);
@@ -861,18 +870,14 @@ bad:
 				if (Upkey == NULL)
 					{
 					Upkey=load_key(bio_err,
-						keyfile,keyformat, passin, e,
+						keyfile, keyformat, 0,
-						"Private key");
+						passin, e, "Private key");
 					if (Upkey == NULL) goto end;
 					}
 #ifndef OPENSSL_NO_DSA
 		                if (Upkey->type == EVP_PKEY_DSA)
 		                        digest=EVP_dss1();
 #endif
 #ifndef OPENSSL_NO_ECDSA
 				if (Upkey->type == EVP_PKEY_ECDSA)
 					digest=EVP_ecdsa();
 #endif
 				assert(need_rand);
 				if (!sign(x,Upkey,days,clrext,digest,
@@ -884,18 +889,15 @@ bad:
 				if (CAkeyfile != NULL)
 					{
 					CApkey=load_key(bio_err,
-						CAkeyfile,CAkeyformat, passin,
+						CAkeyfile, CAkeyformat,
-						e, "CA Private Key");
+						0, passin, e,
 						"CA Private Key");
 					if (CApkey == NULL) goto end;
 					}
 #ifndef OPENSSL_NO_DSA
 		                if (CApkey->type == EVP_PKEY_DSA)
 		                        digest=EVP_dss1();
 #endif
 #ifndef OPENSSL_NO_ECDSA
 				if (CApkey->type == EVP_PKEY_ECDSA)
 					digest = EVP_ecdsa();
 #endif
 				assert(need_rand);
 				if (!x509_certify(ctx,CAfile,digest,x,xca,
@@ -916,17 +918,17 @@ bad:
 				else
 					{
 					pk=load_key(bio_err,
-						keyfile,FORMAT_PEM, passin, e,
+						keyfile, FORMAT_PEM, 0,
-						"request key");
+						passin, e, "request key");
 					if (pk == NULL) goto end;
 					}
 				BIO_printf(bio_err,"Generating certificate request\n");
 #ifndef OPENSSL_NO_DSA
 		                if (pk->type == EVP_PKEY_DSA)
 		                        digest=EVP_dss1();
-				else if (pk->type == EVP_PKEY_ECDSA)
+#endif
 					digest=EVP_ecdsa();
 				rq=X509_to_X509_REQ(x,pk,digest);
 				EVP_PKEY_free(pk);
@@ -1023,7 +1025,7 @@ end:
 	sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free);
 	if (passin) OPENSSL_free(passin);
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 static ASN1_INTEGER *load_serial(char *CAfile, char *serialfile, int create)
@@ -1081,7 +1083,7 @@ static ASN1_INTEGER *load_serial(char *CAfile, char *serialfile, int create)
 		}
 	else 
 		{
-		if (!a2i_ASN1_INTEGER(io,bs,buf2,1024))
+		if (!a2i_ASN1_INTEGER(io,bs,buf2,sizeof buf2))
 			{
 			BIO_printf(bio_err,"unable to load serial number from %s\n",buf);
 			ERR_print_errors(bio_err);
--- a/84
+++ b/84
@@ -74,34 +74,27 @@ if [ "x$XREL" != "x" ]; then
 		echo "whatever-whatever-sco5"; exit 0
 		;;
 	    4.2MP)
-		if [ "x$VERSION" = "x2.01" ]; then
+		case "x${VERSION}" in
-		    echo "${MACHINE}-whatever-unixware201"; exit 0
+		    x2.0*) echo "whatever-whatever-unixware20"; exit 0 ;;
-		elif [ "x$VERSION" = "x2.02" ]; then
+		    x2.1*) echo "whatever-whatever-unixware21"; exit 0 ;;
-		    echo "${MACHINE}-whatever-unixware202"; exit 0
+		    x2*)   echo "whatever-whatever-unixware2";  exit 0 ;;
-		elif [ "x$VERSION" = "x2.03" ]; then
+		esac
 		    echo "${MACHINE}-whatever-unixware203"; exit 0
 		elif [ "x$VERSION" = "x2.1.1" ]; then
 		    echo "${MACHINE}-whatever-unixware211"; exit 0
 		elif [ "x$VERSION" = "x2.1.2" ]; then
 		    echo "${MACHINE}-whatever-unixware212"; exit 0
 		elif [ "x$VERSION" = "x2.1.3" ]; then
 		    echo "${MACHINE}-whatever-unixware213"; exit 0
 		else
 		    echo "${MACHINE}-whatever-unixware2"; exit 0
 		fi
 		;;
 	    4.2)
-		echo "whatever-whatever-unixware1"; exit 0
+		echo "i386-whatever-unixware1"; exit 0
 		;;
 	    OpenUNIX)
 		if [ "`echo x$VERSION | sed -e 's/\..*//'`" = "x8" ]; then
 		    echo "${MACHINE}-unknown-OpenUNIX${VERSION}"; exit 0
 		fi
 		;;
 	    5)
-		if [ "`echo x$VERSION | sed -e 's/\..*//'`" = "x7" ]; then
+		case "x${VERSION}" in
-		    echo "${MACHINE}-sco-unixware7"; exit 0
+		    # We hardcode i586 in place of ${MACHINE} for the
-		fi
+		    # following reason. The catch is that even though Pentium
 		    # is minimum requirement for platforms in question,
 		    # ${MACHINE} gets always assigned to i386. Now, problem
 		    # with i386 is that it makes ./config pass 386 to
 		    # ./Configure, which in turn makes make generate
 		    # inefficient SHA-1 (for this moment) code.
 		    x7*)  echo "i586-sco-unixware7";           exit 0 ;;
 		    x8*)  echo "i586-unkn-OpenUNIX${VERSION}"; exit 0 ;;
 		esac
 		;;
 	esac
    fi
@@ -196,7 +189,7 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
 	echo "${MACHINE}-whatever-bsdi"; exit 0
 	;;
-    FreeBSD:*)
+    FreeBSD:*:*:*386*)
        VERS=`echo ${RELEASE} | sed -e 's/[-(].*//'`
        MACH=`sysctl -n hw.model`
        ARCH='whatever'
@@ -205,7 +198,6 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
           *486*       ) MACH="i486"     ;;
           Pentium\ II*) MACH="i686"     ;;
           Pentium*    ) MACH="i586"     ;;
           Alpha*      ) MACH="alpha"    ;;
           *           ) MACH="$MACHINE" ;;
        esac
        case ${MACH} in
@@ -214,6 +206,10 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
        echo "${MACH}-${ARCH}-freebsd${VERS}"; exit 0
        ;;
    FreeBSD:*)
 	echo "${MACHINE}-whatever-freebsd"; exit 0
 	;;
    NetBSD:*:*:*386*)
        echo "`(/usr/sbin/sysctl -n hw.model || /sbin/sysctl -n hw.model) | sed 's,.*\(.\)86-class.*,i\186,'`-whatever-netbsd"; exit 0
 	;;
@@ -351,6 +347,10 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
    *CRAY*)
       echo "j90-cray-unicos"; exit 0;
       ;;
    NONSTOP_KERNEL*)
       echo "nsr-tandem-nsk"; exit 0;
       ;;
 esac
 #
@@ -393,6 +393,9 @@ exit 0
 GCCVER=`(gcc -dumpversion) 2>/dev/null`
 if [ "$GCCVER" != "" ]; then
  CC=gcc
  # then strip off whatever prefix egcs prepends the number with...
  # Hopefully, this will work for any future prefixes as well.
  GCCVER=`echo $GCCVER | sed 's/^[a-zA-Z]*\-//'`
  # Since gcc 3.1 gcc --version behaviour has changed.  gcc -dumpversion
  # does give us what we want though, so we use that.  We just just the
  # major and minor version numbers.
@@ -454,6 +457,10 @@ if [ "${SYSTEM}-${MACHINE}" = "Linux-alpha" ]; then
  fi
 fi
 if [ "${SYSTEM}" = "AIX" ]; then	# favor vendor cc over gcc
    (cc) 2>&1 | grep -iv "command not found" > /dev/null && CC=cc
 fi
 CCVER=${CCVER:-0}
 # read the output of the embedded GuessOS 
@@ -540,12 +547,13 @@ EOF
  ppc-apple-darwin*) OUT="darwin-ppc-cc" ;;
  i386-apple-darwin*) OUT="darwin-i386-cc" ;;
  sparc64-*-linux2)
-	#Before we can uncomment following lines we have to wait at least
+	echo "WARNING! If you *know* that your GNU C supports 64-bit/V9 ABI"
-	#till 64-bit glibc for SPARC is operational:-(
+	echo "         and wish to build 64-bit library, then you have to"
-	#echo "WARNING! If you wish to build 64-bit library, then you have to"
+	echo "         invoke './Configure linux64-sparcv9' *manually*."
-	#echo "         invoke './Configure linux64-sparcv9' *manually*."
+	if [ "$TEST" = "false" ]; then
-	#echo "         Type return if you want to continue, Ctrl-C to abort."
+	  echo "          You have about 5 seconds to press Ctrl-C to abort."
-	#read waste < /dev/tty
+	  (stty -icanon min 0 time 50; read waste) < /dev/tty
 	fi
 	OUT="linux-sparcv9" ;;
  sparc-*-linux2)
 	KARCH=`awk '/^type/{print$3}' /proc/cpuinfo`
@@ -578,6 +586,7 @@ EOF
  arm*-*-linux2) OUT="linux-elf-arm" ;;
  s390-*-linux2) OUT="linux-s390" ;;
  s390x-*-linux?) OUT="linux-s390x" ;;
  x86_64-*-linux?) OUT="linux-x86_64" ;;
  *-*-linux2) OUT="linux-elf"
 	if [ "$GCCVER" -gt 28 ]; then
          if grep '^model.*Pentium' /proc/cpuinfo >/dev/null ; then
@@ -631,6 +640,8 @@ EOF
  *86*-*-solaris2) OUT="solaris-x86-$CC" ;;
  *-*-sunos4) OUT="sunos-$CC" ;;
  alpha*-*-freebsd*) OUT="FreeBSD-alpha" ;;
  sparc64-*-freebsd*) OUT="FreeBSD-sparc64" ;;
  ia64-*-freebsd*) OUT="FreeBSD-ia64" ;;
  *-freebsd[3-9]*) OUT="FreeBSD-elf" ;;
  *-freebsd[1-2]*) OUT="FreeBSD" ;;
  *86*-*-netbsd) OUT="NetBSD-x86" ;;
@@ -687,9 +698,11 @@ EOF
 	CPU_VERSION=${CPU_VERSION:-0}
 	# See <sys/unistd.h> for further info on CPU_VERSION.
 	if   [ $CPU_VERSION -ge 768 ]; then	# IA-64 CPU
-	     echo "NOTICE! 64-bit is the only ABI currently operational on HP-UXi."
+	     echo "WARNING! 64-bit ABI is the default configured ABI on HP-UXi."
-	     echo "        Post request to openssl-dev@openssl.org for 32-bit support."
+	     echo "         If you wish to build 32-bit library, the you have to"
 	     echo "         invoke './Configure hpux-ia32-cc' *manually*."
 	     if [ "$TEST" = "false" ]; then
 		echo "         You have about 5 seconds to press Ctrl-C to abort."
 		(stty -icanon min 0 time 50; read waste) < /dev/tty
 	     fi
 	     OUT="hpux64-ia64-cc"
@@ -722,6 +735,7 @@ EOF
  *-*-cygwin) OUT="Cygwin" ;;
  t3e-cray-unicosmk) OUT="cray-t3e" ;;
  j90-cray-unicos) OUT="cray-j90" ;;
  nsr-tandem-nsk) OUT="tandem-c89" ;;
  *) OUT=`echo $GUESSOS | awk -F- '{print $3}'`;;
 esac
@@ -756,7 +770,7 @@ case "$GUESSOS" in
  i386-*) options="$options 386" ;;
 esac
-for i in bf cast des dh dsa ec hmac idea md2 md5 mdc2 rc2 rc4 rc5 rijndael ripemd rsa sha
+for i in bf cast des dh dsa ec hmac idea md2 md5 mdc2 rc2 rc4 rc5 aes ripemd rsa sha
 do
  if [ ! -d crypto/$i ]
  then
--- a/crypto/Makefile.ssl
+++ b/crypto/Makefile.ssl
@@ -28,7 +28,7 @@ LIBS=
 SDIRS=	md2 md5 sha mdc2 hmac ripemd \
 	des rc2 rc4 rc5 idea bf cast \
-	bn ec rsa dsa ecdsa dh dso engine aes \
+	bn ec rsa dsa dh dso engine aes \
 	buffer bio stack lhash rand err objects \
 	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5
@@ -36,8 +36,8 @@ GENERAL=Makefile README crypto-lib.com install.com
 LIB= $(TOP)/libcrypto.a
 SHARED_LIB= libcrypto$(SHLIB_EXT)
-LIBSRC=	cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c uid.c o_time.c
+LIBSRC=	cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c uid.c o_time.c
-LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o uid.o o_time.o
+LIBOBJ= cryptlib.o mem.o mem_clr.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o uid.o o_time.o
 SRC= $(LIBSRC)
@@ -98,7 +98,7 @@ lib:	$(LIBOBJ)
 shared:
 	if [ -n "$(SHARED_LIBS)" ]; then \
-		(cd ..; make $(SHARED_LIB)); \
+		(cd ..; $(MAKE) $(SHARED_LIB)); \
 	fi
 libs:
@@ -136,12 +136,12 @@ lint:
 depend:
 	if [ ! -f buildinf.h ]; then touch buildinf.h; fi # fake buildinf.h if it does not exist
-	$(MAKEDEPEND) $(CFLAG) $(INCLUDE) $(DEPFLAG) $(PROGS) $(LIBSRC)
+	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDE) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 	if [ ! -s buildinf.h ]; then rm buildinf.h; fi
 	@for i in $(SDIRS) ;\
 	do \
 	(cd $$i && echo "making depend in crypto/$$i..." && \
-	$(MAKE) MAKEFILE='${MAKEFILE}' INCLUDES='${INCLUDES}' CFLAG='${CFLAG}' DEPFLAG='${DEPFLAG}' PERL='${PERL}' depend ); \
+	$(MAKE) MAKEFILE='${MAKEFILE}' INCLUDES='${INCLUDES}' CFLAG='${CFLAG}' DEPFLAG='${DEPFLAG}' MAKEDEPPROG='${MAKEDEPPROG}' KRB5_INCLUDES='${KRB5_INCLUDES}' PERL='${PERL}' depend ); \
 	done;
 clean:
@@ -180,7 +180,7 @@ cversion.o: ../include/openssl/err.h ../include/openssl/lhash.h
 cversion.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
 cversion.o: ../include/openssl/safestack.h ../include/openssl/stack.h
 cversion.o: ../include/openssl/symhacks.h buildinf.h cryptlib.h cversion.c
-ebcdic.o: ../include/openssl/opensslconf.h ebcdic.c
+ebcdic.o: ../include/openssl/e_os2.h ../include/openssl/opensslconf.h ebcdic.c
 ex_data.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h
 ex_data.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
 ex_data.o: ../include/openssl/err.h ../include/openssl/lhash.h
@@ -193,6 +193,10 @@ mem.o: ../include/openssl/err.h ../include/openssl/lhash.h
 mem.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
 mem.o: ../include/openssl/safestack.h ../include/openssl/stack.h
 mem.o: ../include/openssl/symhacks.h cryptlib.h mem.c
 mem_clr.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
 mem_clr.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
 mem_clr.o: ../include/openssl/safestack.h ../include/openssl/stack.h
 mem_clr.o: ../include/openssl/symhacks.h mem_clr.c
 mem_dbg.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h
 mem_dbg.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
 mem_dbg.o: ../include/openssl/err.h ../include/openssl/lhash.h
--- a/crypto/aes/Makefile.ssl
+++ b/crypto/aes/Makefile.ssl
@@ -75,7 +75,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 depend:
-	$(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
--- a/crypto/aes/aes.h
+++ b/crypto/aes/aes.h
@@ -56,8 +56,9 @@
 #error AES is disabled.
 #endif
-static const int AES_DECRYPT = 0;
+#define AES_ENCRYPT	1
-static const int AES_ENCRYPT = 1;
+#define AES_DECRYPT	0
 /* Because array size can't be a const in C, the following two are macros.
   Both sizes are in bytes. */
 #define AES_MAXNR 14
@@ -99,7 +100,9 @@ void AES_ofb128_encrypt(const unsigned char *in, unsigned char *out,
 	unsigned char *ivec, int *num);
 void AES_ctr128_encrypt(const unsigned char *in, unsigned char *out,
 	const unsigned long length, const AES_KEY *key,
-	unsigned char *counter, unsigned int *num);
+	unsigned char counter[AES_BLOCK_SIZE],
 	unsigned char ecount_buf[AES_BLOCK_SIZE],
 	unsigned int *num);
 #ifdef  __cplusplus
--- a/crypto/aes/aes_cbc.c
+++ b/crypto/aes/aes_cbc.c
@@ -49,7 +49,13 @@
 *
 */
 #ifndef AES_DEBUG
 # ifndef NDEBUG
 #  define NDEBUG
 # endif
 #endif
 #include <assert.h>
 #include <openssl/aes.h>
 #include "aes_locl.h"
@@ -57,33 +63,49 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
 		     const unsigned long length, const AES_KEY *key,
 		     unsigned char *ivec, const int enc) {
-	int n;
+	unsigned long n;
 	unsigned long len = length;
-	unsigned char tmp[16];
+	unsigned char tmp[AES_BLOCK_SIZE];
 	assert(in && out && key && ivec);
 	assert(length % AES_BLOCK_SIZE == 0);
 	assert((AES_ENCRYPT == enc)||(AES_DECRYPT == enc));
-	if (AES_ENCRYPT == enc)
+	if (AES_ENCRYPT == enc) {
-		while (len > 0) {
+		while (len >= AES_BLOCK_SIZE) {
-			for(n=0; n < 16; ++n)
+			for(n=0; n < sizeof tmp; ++n)
 				tmp[n] = in[n] ^ ivec[n];
 			AES_encrypt(tmp, out, key);
-			memcpy(ivec, out, 16);
+			memcpy(ivec, out, AES_BLOCK_SIZE);
-			len -= 16;
+			len -= AES_BLOCK_SIZE;
-			in += 16;
+			in += AES_BLOCK_SIZE;
-			out += 16;
+			out += AES_BLOCK_SIZE;
 		}
-	else
+		if (len) {
-		while (len > 0) {
+			for(n=0; n < len; ++n)
-			memcpy(tmp, in, 16);
+				tmp[n] = in[n] ^ ivec[n];
 			for(n=len; n < AES_BLOCK_SIZE; ++n)
 				tmp[n] = ivec[n];
 			AES_encrypt(tmp, tmp, key);
 			memcpy(out, tmp, len);
 			memcpy(ivec, tmp, sizeof tmp);
 		}			
 	} else {
 		while (len >= AES_BLOCK_SIZE) {
 			memcpy(tmp, in, sizeof tmp);
 			AES_decrypt(in, out, key);
-			for(n=0; n < 16; ++n)
+			for(n=0; n < AES_BLOCK_SIZE; ++n)
 				out[n] ^= ivec[n];
-			memcpy(ivec, tmp, 16);
+			memcpy(ivec, tmp, AES_BLOCK_SIZE);
-			len -= 16;
+			len -= AES_BLOCK_SIZE;
-			in += 16;
+			in += AES_BLOCK_SIZE;
-			out += 16;
+			out += AES_BLOCK_SIZE;
 		}
 		if (len) {
 			memcpy(tmp, in, sizeof tmp);
 			AES_decrypt(tmp, tmp, key);
 			for(n=0; n < len; ++n)
 				out[n] ^= ivec[n];
 			memcpy(ivec, tmp, sizeof tmp);
 		}			
 	}
 }
--- a/crypto/aes/aes_cfb.c
+++ b/crypto/aes/aes_cfb.c
@@ -105,7 +105,13 @@
 * [including the GNU Public Licence.]
 */
 #ifndef AES_DEBUG
 # ifndef NDEBUG
 #  define NDEBUG
 # endif
 #endif
 #include <assert.h>
 #include <openssl/aes.h>
 #include "aes_locl.h"
--- a/crypto/aes/aes_core.c
+++ b/crypto/aes/aes_core.c
@@ -28,7 +28,13 @@
 /* Note: rewritten a little bit to provide error control and an OpenSSL-
   compatible API */
 #ifndef AES_DEBUG
 # ifndef NDEBUG
 #  define NDEBUG
 # endif
 #endif
 #include <assert.h>
 #include <stdlib.h>
 #include <openssl/aes.h>
 #include "aes_locl.h"
@@ -744,7 +750,7 @@ int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
 	rk[2] = GETU32(userKey +  8);
 	rk[3] = GETU32(userKey + 12);
 	if (bits == 128) {
-		for (;;) {
+		while (1) {
 			temp  = rk[3];
 			rk[4] = rk[0] ^
 				(Te4[(temp >> 16) & 0xff] & 0xff000000) ^
@@ -764,7 +770,7 @@ int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
 	rk[4] = GETU32(userKey + 16);
 	rk[5] = GETU32(userKey + 20);
 	if (bits == 192) {
-		for (;;) {
+		while (1) {
 			temp = rk[ 5];
 			rk[ 6] = rk[ 0] ^
 				(Te4[(temp >> 16) & 0xff] & 0xff000000) ^
@@ -786,7 +792,7 @@ int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
 	rk[6] = GETU32(userKey + 24);
 	rk[7] = GETU32(userKey + 28);
 	if (bits == 256) {
-		for (;;) {
+		while (1) {
 			temp = rk[ 7];
 			rk[ 8] = rk[ 0] ^
 				(Te4[(temp >> 16) & 0xff] & 0xff000000) ^
--- a/crypto/aes/aes_ctr.c
+++ b/crypto/aes/aes_ctr.c
@@ -49,7 +49,13 @@
 *
 */
 #ifndef AES_DEBUG
 # ifndef NDEBUG
 #  define NDEBUG
 # endif
 #endif
 #include <assert.h>
 #include <openssl/aes.h>
 #include "aes_locl.h"
@@ -90,26 +96,31 @@ static void AES_ctr128_inc(unsigned char *counter) {
 /* The input encrypted as though 128bit counter mode is being
 * used.  The extra state information to record how much of the
- * 128bit block we have used is contained in *num;
+ * 128bit block we have used is contained in *num, and the
 * encrypted counter is kept in ecount_buf.  Both *num and
 * ecount_buf must be initialised with zeros before the first
 * call to AES_ctr128_encrypt().
 */
 void AES_ctr128_encrypt(const unsigned char *in, unsigned char *out,
 	const unsigned long length, const AES_KEY *key,
-	unsigned char *counter, unsigned int *num) {
+	unsigned char counter[AES_BLOCK_SIZE],
 	unsigned char ecount_buf[AES_BLOCK_SIZE],
 	unsigned int *num) {
 	unsigned int n;
 	unsigned long l=length;
 	unsigned char tmp[AES_BLOCK_SIZE];
 	assert(in && out && key && counter && num);
 	assert(*num < AES_BLOCK_SIZE);
 	n = *num;
 	while (l--) {
 		if (n == 0) {
-			AES_encrypt(counter, tmp, key);
+			AES_encrypt(counter, ecount_buf, key);
 			AES_ctr128_inc(counter);
 		}
-		*(out++) = *(in++) ^ tmp[n];
+		*(out++) = *(in++) ^ ecount_buf[n];
 		n = (n+1) % AES_BLOCK_SIZE;
 	}
--- a/crypto/aes/aes_ecb.c
+++ b/crypto/aes/aes_ecb.c
@@ -49,7 +49,13 @@
 *
 */
 #ifndef AES_DEBUG
 # ifndef NDEBUG
 #  define NDEBUG
 # endif
 #endif
 #include <assert.h>
 #include <openssl/aes.h>
 #include "aes_locl.h"
--- a/crypto/aes/aes_locl.h
+++ b/crypto/aes/aes_locl.h
@@ -62,7 +62,7 @@
 #include <stdlib.h>
 #include <string.h>
-#ifdef _MSC_VER
+#if defined(_MSC_VER) && !defined(OPENSSL_SYS_WINCE)
 # define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00)
 # define GETU32(p) SWAP(*((u32 *)(p)))
 # define PUTU32(ct, st) { *((u32 *)(ct)) = SWAP((st)); }
--- a/crypto/aes/aes_ofb.c
+++ b/crypto/aes/aes_ofb.c
@@ -105,7 +105,13 @@
 * [including the GNU Public Licence.]
 */
 #ifndef AES_DEBUG
 # ifndef NDEBUG
 #  define NDEBUG
 # endif
 #endif
 #include <assert.h>
 #include <openssl/aes.h>
 #include "aes_locl.h"
--- a/crypto/asn1/Makefile.ssl
+++ b/crypto/asn1/Makefile.ssl
@@ -98,7 +98,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 depend:
-	$(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -145,19 +145,18 @@ a_d2i_fp.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 a_d2i_fp.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 a_d2i_fp.o: ../../include/openssl/symhacks.h ../cryptlib.h a_d2i_fp.c
 a_digest.o: ../../e_os.h ../../include/openssl/aes.h
-a_digest.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
+a_digest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-a_digest.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+a_digest.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-a_digest.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+a_digest.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-a_digest.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+a_digest.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-a_digest.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+a_digest.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-a_digest.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+a_digest.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-a_digest.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+a_digest.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-a_digest.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+a_digest.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-a_digest.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+a_digest.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-a_digest.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+a_digest.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-a_digest.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
+a_digest.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-a_digest.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+a_digest.o: ../../include/openssl/opensslconf.h
 a_digest.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 a_digest.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 a_digest.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
 a_digest.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
@@ -267,49 +266,47 @@ a_set.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 a_set.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 a_set.o: ../cryptlib.h a_set.c
 a_sign.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-a_sign.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+a_sign.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-a_sign.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+a_sign.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-a_sign.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+a_sign.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-a_sign.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+a_sign.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-a_sign.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
+a_sign.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-a_sign.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+a_sign.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-a_sign.o: ../../include/openssl/ec.h ../../include/openssl/ecdsa.h
+a_sign.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-a_sign.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+a_sign.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-a_sign.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+a_sign.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-a_sign.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+a_sign.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-a_sign.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+a_sign.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-a_sign.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+a_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-a_sign.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+a_sign.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-a_sign.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+a_sign.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-a_sign.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+a_sign.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-a_sign.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+a_sign.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-a_sign.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+a_sign.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-a_sign.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+a_sign.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-a_sign.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+a_sign.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-a_sign.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
+a_sign.o: ../cryptlib.h a_sign.c
-a_sign.o: ../../include/openssl/x509_vfy.h ../cryptlib.h a_sign.c
+a_strex.o: ../../e_os.h ../../include/openssl/aes.h
-a_strex.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
+a_strex.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 a_strex.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
 a_strex.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 a_strex.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
 a_strex.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 a_strex.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
 a_strex.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-a_strex.o: ../../include/openssl/ec.h ../../include/openssl/ecdsa.h
+a_strex.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-a_strex.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+a_strex.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-a_strex.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+a_strex.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-a_strex.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
+a_strex.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-a_strex.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+a_strex.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-a_strex.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+a_strex.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-a_strex.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+a_strex.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-a_strex.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+a_strex.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-a_strex.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+a_strex.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-a_strex.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+a_strex.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-a_strex.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+a_strex.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-a_strex.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+a_strex.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-a_strex.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+a_strex.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-a_strex.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+a_strex.o: ../../include/openssl/x509_vfy.h ../cryptlib.h a_strex.c charmap.h
 a_strex.o: a_strex.c charmap.h
 a_strnid.o: ../../e_os.h ../../include/openssl/asn1.h
 a_strnid.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 a_strnid.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
@@ -354,19 +351,18 @@ a_utf8.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 a_utf8.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 a_utf8.o: ../cryptlib.h a_utf8.c
 a_verify.o: ../../e_os.h ../../include/openssl/aes.h
-a_verify.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
+a_verify.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-a_verify.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+a_verify.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-a_verify.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+a_verify.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-a_verify.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+a_verify.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-a_verify.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+a_verify.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-a_verify.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+a_verify.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-a_verify.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+a_verify.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-a_verify.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+a_verify.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-a_verify.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+a_verify.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-a_verify.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+a_verify.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-a_verify.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
+a_verify.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-a_verify.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+a_verify.o: ../../include/openssl/opensslconf.h
 a_verify.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 a_verify.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 a_verify.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
 a_verify.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
@@ -402,20 +398,19 @@ asn1_par.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 asn1_par.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 asn1_par.o: ../../include/openssl/symhacks.h ../cryptlib.h asn1_par.c
 asn_moid.o: ../../e_os.h ../../include/openssl/aes.h
-asn_moid.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
+asn_moid.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-asn_moid.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+asn_moid.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-asn_moid.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+asn_moid.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-asn_moid.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
+asn_moid.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-asn_moid.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+asn_moid.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-asn_moid.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
+asn_moid.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-asn_moid.o: ../../include/openssl/dsa.h ../../include/openssl/dso.h
+asn_moid.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
-asn_moid.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+asn_moid.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-asn_moid.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+asn_moid.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-asn_moid.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+asn_moid.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-asn_moid.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+asn_moid.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-asn_moid.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
+asn_moid.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-asn_moid.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+asn_moid.o: ../../include/openssl/opensslconf.h
 asn_moid.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 asn_moid.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 asn_moid.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
 asn_moid.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
@@ -434,47 +429,43 @@ asn_pack.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 asn_pack.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 asn_pack.o: ../../include/openssl/symhacks.h ../cryptlib.h asn_pack.c
 d2i_pr.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-d2i_pr.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+d2i_pr.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-d2i_pr.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+d2i_pr.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-d2i_pr.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+d2i_pr.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-d2i_pr.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+d2i_pr.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-d2i_pr.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
+d2i_pr.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-d2i_pr.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+d2i_pr.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-d2i_pr.o: ../../include/openssl/ec.h ../../include/openssl/ecdsa.h
+d2i_pr.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-d2i_pr.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+d2i_pr.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-d2i_pr.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+d2i_pr.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-d2i_pr.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+d2i_pr.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-d2i_pr.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+d2i_pr.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-d2i_pr.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+d2i_pr.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-d2i_pr.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+d2i_pr.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-d2i_pr.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rc2.h
+d2i_pr.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-d2i_pr.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+d2i_pr.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-d2i_pr.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+d2i_pr.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-d2i_pr.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+d2i_pr.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-d2i_pr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+d2i_pr.o: ../../include/openssl/ui_compat.h ../cryptlib.h d2i_pr.c
 d2i_pr.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
 d2i_pr.o: ../cryptlib.h d2i_pr.c
 d2i_pu.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-d2i_pu.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+d2i_pu.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-d2i_pu.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+d2i_pu.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-d2i_pu.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+d2i_pu.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-d2i_pu.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+d2i_pu.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-d2i_pu.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
+d2i_pu.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-d2i_pu.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+d2i_pu.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-d2i_pu.o: ../../include/openssl/ec.h ../../include/openssl/ecdsa.h
+d2i_pu.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-d2i_pu.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+d2i_pu.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-d2i_pu.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+d2i_pu.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-d2i_pu.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+d2i_pu.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-d2i_pu.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+d2i_pu.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-d2i_pu.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+d2i_pu.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-d2i_pu.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+d2i_pu.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-d2i_pu.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rc2.h
+d2i_pu.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-d2i_pu.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+d2i_pu.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-d2i_pu.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+d2i_pu.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-d2i_pu.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+d2i_pu.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-d2i_pu.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+d2i_pu.o: ../../include/openssl/ui_compat.h ../cryptlib.h d2i_pu.c
 d2i_pu.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
 d2i_pu.o: ../cryptlib.h d2i_pu.c
 evp_asn1.o: ../../e_os.h ../../include/openssl/asn1.h
 evp_asn1.o: ../../include/openssl/asn1_mac.h ../../include/openssl/bio.h
 evp_asn1.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
@@ -509,47 +500,43 @@ f_string.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 f_string.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 f_string.o: ../../include/openssl/symhacks.h ../cryptlib.h f_string.c
 i2d_pr.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-i2d_pr.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+i2d_pr.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-i2d_pr.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+i2d_pr.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-i2d_pr.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+i2d_pr.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-i2d_pr.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+i2d_pr.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-i2d_pr.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
+i2d_pr.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-i2d_pr.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+i2d_pr.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-i2d_pr.o: ../../include/openssl/ec.h ../../include/openssl/ecdsa.h
+i2d_pr.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-i2d_pr.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+i2d_pr.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-i2d_pr.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+i2d_pr.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-i2d_pr.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+i2d_pr.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-i2d_pr.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+i2d_pr.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-i2d_pr.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+i2d_pr.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-i2d_pr.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+i2d_pr.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-i2d_pr.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rc2.h
+i2d_pr.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-i2d_pr.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+i2d_pr.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-i2d_pr.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+i2d_pr.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-i2d_pr.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+i2d_pr.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-i2d_pr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+i2d_pr.o: ../../include/openssl/ui_compat.h ../cryptlib.h i2d_pr.c
 i2d_pr.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
 i2d_pr.o: ../cryptlib.h i2d_pr.c
 i2d_pu.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-i2d_pu.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+i2d_pu.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-i2d_pu.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+i2d_pu.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-i2d_pu.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+i2d_pu.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-i2d_pu.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+i2d_pu.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-i2d_pu.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
+i2d_pu.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-i2d_pu.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+i2d_pu.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-i2d_pu.o: ../../include/openssl/ec.h ../../include/openssl/ecdsa.h
+i2d_pu.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-i2d_pu.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+i2d_pu.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-i2d_pu.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+i2d_pu.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-i2d_pu.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+i2d_pu.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-i2d_pu.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+i2d_pu.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-i2d_pu.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+i2d_pu.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-i2d_pu.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+i2d_pu.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-i2d_pu.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rc2.h
+i2d_pu.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-i2d_pu.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+i2d_pu.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-i2d_pu.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+i2d_pu.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-i2d_pu.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+i2d_pu.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-i2d_pu.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+i2d_pu.o: ../../include/openssl/ui_compat.h ../cryptlib.h i2d_pu.c
 i2d_pu.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
 i2d_pu.o: ../cryptlib.h i2d_pu.c
 n_pkey.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
 n_pkey.o: ../../include/openssl/asn1_mac.h ../../include/openssl/asn1t.h
 n_pkey.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
@@ -557,8 +544,7 @@ n_pkey.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 n_pkey.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
 n_pkey.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
 n_pkey.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-n_pkey.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+n_pkey.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 n_pkey.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
 n_pkey.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
 n_pkey.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
 n_pkey.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
@@ -580,7 +566,6 @@ nsseq.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
 nsseq.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 nsseq.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
 nsseq.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 nsseq.o: ../../include/openssl/ec.h ../../include/openssl/ecdsa.h
 nsseq.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
 nsseq.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
 nsseq.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
@@ -601,7 +586,6 @@ p5_pbe.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
 p5_pbe.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 p5_pbe.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
 p5_pbe.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 p5_pbe.o: ../../include/openssl/ec.h ../../include/openssl/ecdsa.h
 p5_pbe.o: ../../include/openssl/err.h ../../include/openssl/evp.h
 p5_pbe.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
 p5_pbe.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
@@ -624,8 +608,7 @@ p5_pbev2.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 p5_pbev2.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
 p5_pbev2.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
 p5_pbev2.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-p5_pbev2.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+p5_pbev2.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 p5_pbev2.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
 p5_pbev2.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
 p5_pbev2.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
 p5_pbev2.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
@@ -647,8 +630,7 @@ p8_pkey.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 p8_pkey.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
 p8_pkey.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
 p8_pkey.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-p8_pkey.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+p8_pkey.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 p8_pkey.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
 p8_pkey.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
 p8_pkey.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
 p8_pkey.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
@@ -664,155 +646,144 @@ p8_pkey.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
 p8_pkey.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 p8_pkey.o: ../cryptlib.h p8_pkey.c
 t_bitst.o: ../../e_os.h ../../include/openssl/aes.h
-t_bitst.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
+t_bitst.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-t_bitst.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+t_bitst.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-t_bitst.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+t_bitst.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-t_bitst.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
+t_bitst.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-t_bitst.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+t_bitst.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-t_bitst.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
+t_bitst.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-t_bitst.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+t_bitst.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-t_bitst.o: ../../include/openssl/ec.h ../../include/openssl/ecdsa.h
+t_bitst.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-t_bitst.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+t_bitst.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-t_bitst.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+t_bitst.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-t_bitst.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+t_bitst.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-t_bitst.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+t_bitst.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-t_bitst.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+t_bitst.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-t_bitst.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+t_bitst.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-t_bitst.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+t_bitst.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-t_bitst.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+t_bitst.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-t_bitst.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+t_bitst.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-t_bitst.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+t_bitst.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-t_bitst.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+t_bitst.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-t_bitst.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+t_bitst.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-t_bitst.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
+t_bitst.o: ../../include/openssl/x509v3.h ../cryptlib.h t_bitst.c
 t_bitst.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
 t_bitst.o: ../cryptlib.h t_bitst.c
 t_crl.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-t_crl.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+t_crl.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-t_crl.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+t_crl.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-t_crl.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+t_crl.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-t_crl.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+t_crl.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-t_crl.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+t_crl.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-t_crl.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+t_crl.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-t_crl.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+t_crl.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-t_crl.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+t_crl.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-t_crl.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+t_crl.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-t_crl.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+t_crl.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-t_crl.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
+t_crl.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-t_crl.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+t_crl.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-t_crl.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+t_crl.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-t_crl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+t_crl.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-t_crl.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+t_crl.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-t_crl.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+t_crl.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-t_crl.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+t_crl.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-t_crl.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+t_crl.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-t_crl.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+t_crl.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-t_crl.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+t_crl.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-t_crl.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+t_crl.o: ../cryptlib.h t_crl.c
-t_crl.o: ../../include/openssl/x509v3.h ../cryptlib.h t_crl.c
+t_pkey.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 t_pkey.o: ../../e_os.h ../../include/openssl/asn1.h
 t_pkey.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
 t_pkey.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 t_pkey.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
 t_pkey.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 t_pkey.o: ../../include/openssl/ec.h ../../include/openssl/ecdsa.h
 t_pkey.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 t_pkey.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 t_pkey.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 t_pkey.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rsa.h
 t_pkey.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 t_pkey.o: ../../include/openssl/symhacks.h ../cryptlib.h t_pkey.c
 t_req.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-t_req.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+t_req.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-t_req.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+t_req.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-t_req.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+t_req.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-t_req.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+t_req.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-t_req.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+t_req.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-t_req.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+t_req.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-t_req.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+t_req.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-t_req.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+t_req.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-t_req.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+t_req.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-t_req.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+t_req.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-t_req.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
+t_req.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-t_req.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+t_req.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-t_req.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+t_req.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-t_req.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+t_req.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-t_req.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+t_req.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-t_req.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+t_req.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-t_req.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+t_req.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-t_req.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+t_req.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-t_req.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+t_req.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-t_req.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+t_req.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-t_req.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+t_req.o: ../cryptlib.h t_req.c
 t_req.o: ../../include/openssl/x509v3.h ../cryptlib.h t_req.c
 t_spki.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-t_spki.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+t_spki.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-t_spki.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+t_spki.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-t_spki.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+t_spki.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-t_spki.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+t_spki.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-t_spki.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
+t_spki.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-t_spki.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+t_spki.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-t_spki.o: ../../include/openssl/ec.h ../../include/openssl/ecdsa.h
+t_spki.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-t_spki.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+t_spki.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-t_spki.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+t_spki.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-t_spki.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+t_spki.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-t_spki.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+t_spki.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-t_spki.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+t_spki.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-t_spki.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+t_spki.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-t_spki.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+t_spki.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-t_spki.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+t_spki.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-t_spki.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+t_spki.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-t_spki.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+t_spki.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-t_spki.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+t_spki.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-t_spki.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+t_spki.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-t_spki.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
+t_spki.o: ../cryptlib.h t_spki.c
 t_spki.o: ../../include/openssl/x509_vfy.h ../cryptlib.h t_spki.c
 t_x509.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-t_x509.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+t_x509.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-t_x509.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+t_x509.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-t_x509.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+t_x509.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-t_x509.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+t_x509.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-t_x509.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+t_x509.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-t_x509.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+t_x509.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-t_x509.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+t_x509.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-t_x509.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+t_x509.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-t_x509.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+t_x509.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-t_x509.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+t_x509.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-t_x509.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
+t_x509.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-t_x509.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+t_x509.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-t_x509.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+t_x509.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-t_x509.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+t_x509.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-t_x509.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+t_x509.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-t_x509.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+t_x509.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-t_x509.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+t_x509.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-t_x509.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+t_x509.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-t_x509.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+t_x509.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-t_x509.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+t_x509.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-t_x509.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+t_x509.o: ../cryptlib.h t_x509.c
 t_x509.o: ../../include/openssl/x509v3.h ../cryptlib.h t_x509.c
 t_x509a.o: ../../e_os.h ../../include/openssl/aes.h
-t_x509a.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
+t_x509a.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-t_x509a.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+t_x509a.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-t_x509a.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+t_x509a.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-t_x509a.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+t_x509a.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-t_x509a.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+t_x509a.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-t_x509a.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+t_x509a.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-t_x509a.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+t_x509a.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-t_x509a.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+t_x509a.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-t_x509a.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+t_x509a.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-t_x509a.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+t_x509a.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-t_x509a.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
+t_x509a.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-t_x509a.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+t_x509a.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-t_x509a.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+t_x509a.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-t_x509a.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+t_x509a.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-t_x509a.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+t_x509a.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-t_x509a.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+t_x509a.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-t_x509a.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+t_x509a.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-t_x509a.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+t_x509a.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-t_x509a.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+t_x509a.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-t_x509a.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+t_x509a.o: ../../include/openssl/x509_vfy.h ../cryptlib.h t_x509a.c
 t_x509a.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 t_x509a.o: ../cryptlib.h t_x509a.c
 tasn_dec.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
 tasn_dec.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 tasn_dec.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
@@ -870,7 +841,6 @@ x_algor.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
 x_algor.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 x_algor.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
 x_algor.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 x_algor.o: ../../include/openssl/ec.h ../../include/openssl/ecdsa.h
 x_algor.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
 x_algor.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
 x_algor.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
@@ -892,8 +862,7 @@ x_attrib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 x_attrib.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
 x_attrib.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
 x_attrib.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x_attrib.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+x_attrib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 x_attrib.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
 x_attrib.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
 x_attrib.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
 x_attrib.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
@@ -924,7 +893,6 @@ x_crl.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
 x_crl.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 x_crl.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
 x_crl.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 x_crl.o: ../../include/openssl/ec.h ../../include/openssl/ecdsa.h
 x_crl.o: ../../include/openssl/err.h ../../include/openssl/evp.h
 x_crl.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
 x_crl.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
@@ -946,7 +914,6 @@ x_exten.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
 x_exten.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 x_exten.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
 x_exten.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 x_exten.o: ../../include/openssl/ec.h ../../include/openssl/ecdsa.h
 x_exten.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
 x_exten.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
 x_exten.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
@@ -962,27 +929,26 @@ x_exten.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
 x_exten.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 x_exten.o: x_exten.c
 x_info.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-x_info.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+x_info.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-x_info.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+x_info.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-x_info.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+x_info.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-x_info.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x_info.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-x_info.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
+x_info.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x_info.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+x_info.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-x_info.o: ../../include/openssl/ec.h ../../include/openssl/ecdsa.h
+x_info.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x_info.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x_info.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-x_info.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+x_info.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-x_info.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+x_info.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-x_info.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x_info.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-x_info.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+x_info.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-x_info.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+x_info.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-x_info.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+x_info.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-x_info.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+x_info.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-x_info.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+x_info.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-x_info.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x_info.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-x_info.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x_info.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-x_info.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+x_info.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x_info.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
+x_info.o: ../cryptlib.h x_info.c
 x_info.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x_info.c
 x_long.o: ../../e_os.h ../../include/openssl/asn1.h
 x_long.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
 x_long.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
@@ -999,7 +965,6 @@ x_name.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
 x_name.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 x_name.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
 x_name.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 x_name.o: ../../include/openssl/ec.h ../../include/openssl/ecdsa.h
 x_name.o: ../../include/openssl/err.h ../../include/openssl/evp.h
 x_name.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
 x_name.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
@@ -1015,28 +980,26 @@ x_name.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
 x_name.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
 x_name.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x_name.c
 x_pkey.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-x_pkey.o: ../../include/openssl/asn1_mac.h ../../include/openssl/asn1t.h
+x_pkey.o: ../../include/openssl/asn1_mac.h ../../include/openssl/bio.h
-x_pkey.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+x_pkey.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x_pkey.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+x_pkey.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x_pkey.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+x_pkey.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-x_pkey.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+x_pkey.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-x_pkey.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+x_pkey.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-x_pkey.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+x_pkey.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x_pkey.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+x_pkey.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x_pkey.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x_pkey.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x_pkey.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+x_pkey.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x_pkey.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
+x_pkey.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-x_pkey.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+x_pkey.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-x_pkey.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x_pkey.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-x_pkey.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x_pkey.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x_pkey.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+x_pkey.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x_pkey.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+x_pkey.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x_pkey.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+x_pkey.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x_pkey.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x_pkey.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-x_pkey.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x_pkey.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-x_pkey.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+x_pkey.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x_pkey.c
 x_pkey.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 x_pkey.o: ../cryptlib.h x_pkey.c
 x_pubkey.o: ../../e_os.h ../../include/openssl/aes.h
 x_pubkey.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
 x_pubkey.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
@@ -1044,8 +1007,7 @@ x_pubkey.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 x_pubkey.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
 x_pubkey.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
 x_pubkey.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x_pubkey.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+x_pubkey.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 x_pubkey.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
 x_pubkey.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
 x_pubkey.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
 x_pubkey.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
@@ -1067,7 +1029,6 @@ x_req.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
 x_req.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 x_req.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
 x_req.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 x_req.o: ../../include/openssl/ec.h ../../include/openssl/ecdsa.h
 x_req.o: ../../include/openssl/err.h ../../include/openssl/evp.h
 x_req.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
 x_req.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
@@ -1089,7 +1050,6 @@ x_sig.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
 x_sig.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 x_sig.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
 x_sig.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 x_sig.o: ../../include/openssl/ec.h ../../include/openssl/ecdsa.h
 x_sig.o: ../../include/openssl/err.h ../../include/openssl/evp.h
 x_sig.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
 x_sig.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
@@ -1111,7 +1071,6 @@ x_spki.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
 x_spki.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 x_spki.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
 x_spki.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 x_spki.o: ../../include/openssl/ec.h ../../include/openssl/ecdsa.h
 x_spki.o: ../../include/openssl/err.h ../../include/openssl/evp.h
 x_spki.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
 x_spki.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
@@ -1133,7 +1092,6 @@ x_val.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
 x_val.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 x_val.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
 x_val.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 x_val.o: ../../include/openssl/ec.h ../../include/openssl/ecdsa.h
 x_val.o: ../../include/openssl/err.h ../../include/openssl/evp.h
 x_val.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
 x_val.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
@@ -1155,8 +1113,7 @@ x_x509.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
 x_x509.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
 x_x509.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
 x_x509.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x_x509.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+x_x509.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 x_x509.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
 x_x509.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
 x_x509.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
 x_x509.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
@@ -1178,8 +1135,7 @@ x_x509a.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 x_x509a.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
 x_x509a.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
 x_x509a.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x_x509a.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+x_x509a.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 x_x509a.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
 x_x509a.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
 x_x509a.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
 x_x509a.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
--- a/crypto/asn1/a_bitstr.c
+++ b/crypto/asn1/a_bitstr.c
@@ -120,6 +120,12 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a, unsigned char **pp,
 	unsigned char *p,*s;
 	int i;
 	if (len < 1)
 		{
 		i=ASN1_R_STRING_TOO_SHORT;
 		goto err;
 		}
 	if ((a == NULL) || ((*a) == NULL))
 		{
 		if ((ret=M_ASN1_BIT_STRING_new()) == NULL) return(NULL);
@@ -185,7 +191,9 @@ int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value)
 		if (a->data == NULL)
 			c=(unsigned char *)OPENSSL_malloc(w+1);
 		else
-			c=(unsigned char *)OPENSSL_realloc(a->data,w+1);
+			c=(unsigned char *)OPENSSL_realloc_clean(a->data,
 								 a->length,
 								 w+1);
 		if (c == NULL) return(0);
 		if (w+1-a->length > 0) memset(c+a->length, 0, w+1-a->length);
 		a->data=c;
--- a/crypto/asn1/a_bytes.c
+++ b/crypto/asn1/a_bytes.c
@@ -285,7 +285,7 @@ static int asn1_collate_primitive(ASN1_STRING *a, ASN1_CTX *c)
 			goto err;
 			}
-		if (!BUF_MEM_grow(&b,num+os->length))
+		if (!BUF_MEM_grow_clean(&b,num+os->length))
 			{
 			c->error=ERR_R_BUF_LIB;
 			goto err;
--- a/crypto/asn1/a_d2i_fp.c
+++ b/crypto/asn1/a_d2i_fp.c
@@ -149,7 +149,12 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
 	ASN1_CTX c;
 	int want=HEADER_SIZE;
 	int eos=0;
 #if defined(__GNUC__) && defined(__ia64)
 	/* pathetic compiler bug in all known versions as of Nov. 2002 */
 	long off=0;
 #else
 	int off=0;
 #endif
 	int len=0;
 	b=BUF_MEM_new();
@@ -166,7 +171,7 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
 			{
 			want-=(len-off);
-			if (!BUF_MEM_grow(b,len+want))
+			if (!BUF_MEM_grow_clean(b,len+want))
 				{
 				ASN1err(ASN1_F_ASN1_D2I_BIO,ERR_R_MALLOC_FAILURE);
 				goto err;
@@ -221,18 +226,23 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
 			if (want > (len-off))
 				{
 				want-=(len-off);
-				if (!BUF_MEM_grow(b,len+want))
+				if (!BUF_MEM_grow_clean(b,len+want))
 					{
 					ASN1err(ASN1_F_ASN1_D2I_BIO,ERR_R_MALLOC_FAILURE);
 					goto err;
 					}
 				while (want > 0)
 					{
 					i=BIO_read(in,&(b->data[len]),want);
 					if (i <= 0)
 						{
-					ASN1err(ASN1_F_ASN1_D2I_BIO,ASN1_R_NOT_ENOUGH_DATA);
+						ASN1err(ASN1_F_ASN1_D2I_BIO,
 						    ASN1_R_NOT_ENOUGH_DATA);
 						goto err;
 						}
 					len+=i;
 					want -= i;
 					}
 				}
 			off+=(int)c.slen;
 			if (eos <= 0)
--- a/crypto/asn1/a_object.c
+++ b/crypto/asn1/a_object.c
@@ -183,8 +183,8 @@ int i2a_ASN1_OBJECT(BIO *bp, ASN1_OBJECT *a)
 	if ((a == NULL) || (a->data == NULL))
 		return(BIO_write(bp,"NULL",4));
-	i=i2t_ASN1_OBJECT(buf,80,a);
+	i=i2t_ASN1_OBJECT(buf,sizeof buf,a);
-	if (i > 80) i=80;
+	if (i > sizeof buf) i=sizeof buf;
 	BIO_write(bp,buf,i);
 	return(i);
 	}
--- a/crypto/asn1/a_sign.c
+++ b/crypto/asn1/a_sign.c
@@ -204,9 +204,9 @@ int ASN1_sign(int (*i2d)(), X509_ALGOR *algor1, X509_ALGOR *algor2,
 err:
 	EVP_MD_CTX_cleanup(&ctx);
 	if (buf_in != NULL)
-		{ memset((char *)buf_in,0,(unsigned int)inl); OPENSSL_free(buf_in); }
+		{ OPENSSL_cleanse((char *)buf_in,(unsigned int)inl); OPENSSL_free(buf_in); }
 	if (buf_out != NULL)
-		{ memset((char *)buf_out,0,outll); OPENSSL_free(buf_out); }
+		{ OPENSSL_cleanse((char *)buf_out,outll); OPENSSL_free(buf_out); }
 	return(outl);
 	}
@@ -287,8 +287,8 @@ int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2,
 err:
 	EVP_MD_CTX_cleanup(&ctx);
 	if (buf_in != NULL)
-		{ memset((char *)buf_in,0,(unsigned int)inl); OPENSSL_free(buf_in); }
+		{ OPENSSL_cleanse((char *)buf_in,(unsigned int)inl); OPENSSL_free(buf_in); }
 	if (buf_out != NULL)
-		{ memset((char *)buf_out,0,outll); OPENSSL_free(buf_out); }
+		{ OPENSSL_cleanse((char *)buf_out,outll); OPENSSL_free(buf_out); }
 	return(outl);
 	}
--- a/crypto/asn1/a_strex.c
+++ b/crypto/asn1/a_strex.c
@@ -63,6 +63,7 @@
 #include <openssl/asn1.h>
 #include "charmap.h"
 #include "cryptlib.h"
 /* ASN1_STRING_print_ex() and X509_NAME_print_ex().
 * Enhanced string and name printing routines handling
@@ -114,14 +115,17 @@ typedef int char_io(void *arg, const void *buf, int len);
 static int do_esc_char(unsigned long c, unsigned char flags, char *do_quotes, char_io *io_ch, void *arg)
 {
 	unsigned char chflgs, chtmp;
-	char tmphex[11];
+	char tmphex[HEX_SIZE(long)+3];
 	if(c > 0xffffffffL)
 		return -1;
 	if(c > 0xffff) {
-		BIO_snprintf(tmphex, 11, "\\W%08lX", c);
+		BIO_snprintf(tmphex, sizeof tmphex, "\\W%08lX", c);
 		if(!io_ch(arg, tmphex, 10)) return -1;
 		return 10;
 	}
 	if(c > 0xff) {
-		BIO_snprintf(tmphex, 11, "\\U%04lX", c);
+		BIO_snprintf(tmphex, sizeof tmphex, "\\U%04lX", c);
 		if(!io_ch(arg, tmphex, 6)) return -1;
 		return 6;
 	}
@@ -195,7 +199,7 @@ static int do_buf(unsigned char *buf, int buflen,
 		if(type & BUF_TYPE_CONVUTF8) {
 			unsigned char utfbuf[6];
 			int utflen;
-			utflen = UTF8_putc(utfbuf, 6, c);
+			utflen = UTF8_putc(utfbuf, sizeof utfbuf, c);
 			for(i = 0; i < utflen; i++) {
 				/* We don't need to worry about setting orflags correctly
 				 * because if utflen==1 its value will be correct anyway 
@@ -461,7 +465,7 @@ static int do_name_ex(char_io *io_ch, void *arg, X509_NAME *n,
 		if(fn_opt != XN_FLAG_FN_NONE) {
 			int objlen, fld_len;
 			if((fn_opt == XN_FLAG_FN_OID) || (fn_nid==NID_undef) ) {
-				OBJ_obj2txt(objtmp, 80, fn, 1);
+				OBJ_obj2txt(objtmp, sizeof objtmp, fn, 1);
 				fld_len = 0; /* XXX: what should this be? */
 				objbuf = objtmp;
 			} else {
@@ -544,7 +548,7 @@ int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in)
 {
 	ASN1_STRING stmp, *str = &stmp;
 	int mbflag, type, ret;
-	if(!*out || !in) return -1;
+	if(!in) return -1;
 	type = in->type;
 	if((type < 0) || (type > 30)) return -1;
 	mbflag = tag2nbyte[type];
@@ -553,6 +557,6 @@ int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in)
 	stmp.data = NULL;
 	ret = ASN1_mbstring_copy(&str, in->data, in->length, mbflag, B_ASN1_UTF8STRING);
 	if(ret < 0) return ret;
-	if(out) *out = stmp.data;
+	*out = stmp.data;
 	return stmp.length;
 }
--- a/crypto/asn1/a_time.c
+++ b/crypto/asn1/a_time.c
@@ -105,7 +105,10 @@ ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s, time_t t)
 	ts=OPENSSL_gmtime(&t,&data);
 	if (ts == NULL)
 		{
 		ASN1err(ASN1_F_ASN1_TIME_SET, ASN1_R_ERROR_GETTING_TIME);
 		return NULL;
 		}
 	if((ts->tm_year >= 50) && (ts->tm_year < 150))
 					return ASN1_UTCTIME_set(s, t);
 	return ASN1_GENERALIZEDTIME_set(s,t);
@@ -152,7 +155,7 @@ ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZE
 	if (t->data[0] >= '5') strcpy(str, "19");
 	else strcpy(str, "20");
-	strcat(str, (char *)t->data);
+	BUF_strlcat(str, (char *)t->data, t->length+3);	/* Include space for a '\0' */
 	return ret;
 	}
--- a/crypto/asn1/a_type.c
+++ b/crypto/asn1/a_type.c
@@ -62,7 +62,7 @@
 int ASN1_TYPE_get(ASN1_TYPE *a)
 	{
-	if (a->value.ptr != NULL)
+	if ((a->value.ptr != NULL) || (a->type == V_ASN1_NULL))
 		return(a->type);
 	else
 		return(0);
--- a/crypto/asn1/a_verify.c
+++ b/crypto/asn1/a_verify.c
@@ -103,7 +103,7 @@ int ASN1_verify(int (*i2d)(), X509_ALGOR *a, ASN1_BIT_STRING *signature,
 	EVP_VerifyInit_ex(&ctx,type, NULL);
 	EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl);
-	memset(buf_in,0,(unsigned int)inl);
+	OPENSSL_cleanse(buf_in,(unsigned int)inl);
 	OPENSSL_free(buf_in);
 	if (EVP_VerifyFinal(&ctx,(unsigned char *)signature->data,
@@ -153,7 +153,7 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signat
 	EVP_VerifyInit_ex(&ctx,type, NULL);
 	EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl);
-	memset(buf_in,0,(unsigned int)inl);
+	OPENSSL_cleanse(buf_in,(unsigned int)inl);
 	OPENSSL_free(buf_in);
 	if (EVP_VerifyFinal(&ctx,(unsigned char *)signature->data,
--- a/crypto/asn1/asn1.h
+++ b/crypto/asn1/asn1.h
@@ -70,7 +70,6 @@
 #include <openssl/symhacks.h>
 #include <openssl/e_os2.h>
 #include <openssl/ossl_typ.h>
 #ifdef OPENSSL_BUILD_SHLIBCRYPTO
@@ -981,6 +980,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_F_ASN1_TEMPLATE_D2I			 131
 #define ASN1_F_ASN1_TEMPLATE_EX_D2I			 132
 #define ASN1_F_ASN1_TEMPLATE_NEW			 133
 #define ASN1_F_ASN1_TIME_SET				 175
 #define ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING		 134
 #define ASN1_F_ASN1_TYPE_GET_OCTETSTRING		 135
 #define ASN1_F_ASN1_UNPACK_STRING			 136
@@ -1009,13 +1009,12 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_F_D2I_X509_PKEY				 159
 #define ASN1_F_I2D_ASN1_TIME				 160
 #define ASN1_F_I2D_DSA_PUBKEY				 161
 #define ASN1_F_I2D_ECDSA_PUBKEY				 174
 #define ASN1_F_I2D_NETSCAPE_RSA				 162
 #define ASN1_F_I2D_PRIVATEKEY				 163
 #define ASN1_F_I2D_PUBLICKEY				 164
 #define ASN1_F_I2D_RSA_PUBKEY				 165
 #define ASN1_F_LONG_C2I					 166
-#define ASN1_F_OID_MODULE_INIT				 175
+#define ASN1_F_OID_MODULE_INIT				 174
 #define ASN1_F_PKCS5_PBE2_SET				 167
 #define ASN1_F_X509_CINF_NEW				 168
 #define ASN1_F_X509_CRL_ADD0_REVOKED			 169
@@ -1039,6 +1038,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_R_DECODE_ERROR				 110
 #define ASN1_R_DECODING_ERROR				 111
 #define ASN1_R_ENCODE_ERROR				 112
 #define ASN1_R_ERROR_GETTING_TIME			 173
 #define ASN1_R_ERROR_LOADING_SECTION			 172
 #define ASN1_R_ERROR_PARSING_SET_ELEMENT		 113
 #define ASN1_R_ERROR_SETTING_CIPHER_PARAMS		 114
--- a/crypto/asn1/asn1_err.c
+++ b/crypto/asn1/asn1_err.c
@@ -100,6 +100,7 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_PACK(0,ASN1_F_ASN1_TEMPLATE_D2I,0),	"ASN1_TEMPLATE_D2I"},
 {ERR_PACK(0,ASN1_F_ASN1_TEMPLATE_EX_D2I,0),	"ASN1_TEMPLATE_EX_D2I"},
 {ERR_PACK(0,ASN1_F_ASN1_TEMPLATE_NEW,0),	"ASN1_TEMPLATE_NEW"},
 {ERR_PACK(0,ASN1_F_ASN1_TIME_SET,0),	"ASN1_TIME_set"},
 {ERR_PACK(0,ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING,0),	"ASN1_TYPE_get_int_octetstring"},
 {ERR_PACK(0,ASN1_F_ASN1_TYPE_GET_OCTETSTRING,0),	"ASN1_TYPE_get_octetstring"},
 {ERR_PACK(0,ASN1_F_ASN1_UNPACK_STRING,0),	"ASN1_unpack_string"},
@@ -128,7 +129,6 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_PACK(0,ASN1_F_D2I_X509_PKEY,0),	"d2i_X509_PKEY"},
 {ERR_PACK(0,ASN1_F_I2D_ASN1_TIME,0),	"I2D_ASN1_TIME"},
 {ERR_PACK(0,ASN1_F_I2D_DSA_PUBKEY,0),	"i2d_DSA_PUBKEY"},
 {ERR_PACK(0,ASN1_F_I2D_ECDSA_PUBKEY,0),	"i2d_ECDSA_PUBKEY"},
 {ERR_PACK(0,ASN1_F_I2D_NETSCAPE_RSA,0),	"i2d_Netscape_RSA"},
 {ERR_PACK(0,ASN1_F_I2D_PRIVATEKEY,0),	"i2d_PrivateKey"},
 {ERR_PACK(0,ASN1_F_I2D_PUBLICKEY,0),	"i2d_PublicKey"},
@@ -161,6 +161,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]=
 {ASN1_R_DECODE_ERROR                     ,"decode error"},
 {ASN1_R_DECODING_ERROR                   ,"decoding error"},
 {ASN1_R_ENCODE_ERROR                     ,"encode error"},
 {ASN1_R_ERROR_GETTING_TIME               ,"error getting time"},
 {ASN1_R_ERROR_LOADING_SECTION            ,"error loading section"},
 {ASN1_R_ERROR_PARSING_SET_ELEMENT        ,"error parsing set element"},
 {ASN1_R_ERROR_SETTING_CIPHER_PARAMS      ,"error setting cipher params"},
--- a/crypto/asn1/asn1_lib.c
+++ b/crypto/asn1/asn1_lib.c
@@ -57,6 +57,7 @@
 */
 #include <stdio.h>
 #include <limits.h>
 #include "cryptlib.h"
 #include <openssl/asn1.h>
 #include <openssl/asn1_mac.h>
@@ -124,15 +125,13 @@ int ASN1_get_object(unsigned char **pp, long *plength, int *ptag, int *pclass,
 		(int)(omax+ *pp));
 #endif
-#if 0
+	if (*plength > (omax - (p - *pp)))
 	if ((p+ *plength) > (omax+ *pp))
 		{
 		ASN1err(ASN1_F_ASN1_GET_OBJECT,ASN1_R_TOO_LONG);
 		/* Set this so that even if things are not long enough
 		 * the values are set correctly */
 		ret|=0x80;
 		}
 #endif
 	*pp=p;
 	return(ret|inf);
 err:
@@ -143,7 +142,7 @@ err:
 static int asn1_get_length(unsigned char **pp, int *inf, long *rl, int max)
 	{
 	unsigned char *p= *pp;
-	long ret=0;
+	unsigned long ret=0;
 	int i;
 	if (max-- < 1) return(0);
@@ -159,6 +158,8 @@ static int asn1_get_length(unsigned char **pp, int *inf, long *rl, int max)
 		i= *p&0x7f;
 		if (*(p++) & 0x80)
 			{
 			if (i > sizeof(long))
 				return 0;
 			if (max-- == 0) return(0);
 			while (i-- > 0)
 				{
@@ -170,8 +171,10 @@ static int asn1_get_length(unsigned char **pp, int *inf, long *rl, int max)
 		else
 			ret=i;
 		}
 	if (ret > LONG_MAX)
 		return 0;
 	*pp=p;
-	*rl=ret;
+	*rl=(long)ret;
 	return(1);
 	}
@@ -407,7 +410,7 @@ int ASN1_STRING_cmp(ASN1_STRING *a, ASN1_STRING *b)
 void asn1_add_error(unsigned char *address, int offset)
 	{
-	char buf1[16],buf2[16];
+	char buf1[DECIMAL_SIZE(address)+1],buf2[DECIMAL_SIZE(offset)+1];
 	sprintf(buf1,"%lu",(unsigned long)address);
 	sprintf(buf2,"%d",offset);
--- a/crypto/asn1/asn1_par.c
+++ b/crypto/asn1/asn1_par.c
@@ -79,12 +79,7 @@ static int asn1_print_info(BIO *bp, int tag, int xclass, int constructed,
 	else
 		p="prim: ";
 	if (BIO_write(bp,p,6) < 6) goto err;
-	if (indent)
+	BIO_indent(bp,indent,128);
 		{
 		if (indent > 128) indent=128;
 		memset(str,' ',indent);
 		if (BIO_write(bp,str,indent) < indent) goto err;
 		}
 	p=str;
 	if ((xclass & V_ASN1_PRIVATE) == V_ASN1_PRIVATE)
@@ -261,11 +256,9 @@ static int asn1_parse2(BIO *bp, unsigned char **pp, long length, int offset,
 				opp=op;
 				os=d2i_ASN1_OCTET_STRING(NULL,&opp,len+hl);
-				if (os != NULL && os->length > 0)
+				if (os != NULL)
 					{
 					opp=os->data;
 					/* testing whether the octet string is
 					 * printable */
 					for (i=0; i<os->length; i++)
 						{
 						if ((	(opp[i] < ' ') &&
@@ -278,8 +271,7 @@ static int asn1_parse2(BIO *bp, unsigned char **pp, long length, int offset,
 							break;
 							}
 						}
-					if (printable)
+					if (printable && (os->length > 0))
 					/* printable string */
 						{
 						if (BIO_write(bp,":",1) <= 0)
 							goto end;
@@ -287,21 +279,8 @@ static int asn1_parse2(BIO *bp, unsigned char **pp, long length, int offset,
 							os->length) <= 0)
 							goto end;
 						}
-					else if (!dump)
+					if (!printable && (os->length > 0)
-					/* not printable => print octet string
+						&& dump)
 					 * as hex dump */
 						{
 						if (BIO_write(bp,"[HEX DUMP]:",11) <= 0)
 							goto end;
 						for (i=0; i<os->length; i++)
 							{
 							if (BIO_printf(bp,"%02X"
 								, opp[i]) <= 0)
 								goto end;
 							}
 						}
 					else
 					/* print the normal dump */
 						{
 						if (!nl) 
 							{
@@ -309,15 +288,11 @@ static int asn1_parse2(BIO *bp, unsigned char **pp, long length, int offset,
 								goto end;
 							}
 						if (BIO_dump_indent(bp,(char *)opp,
-							((dump == -1 || dump > 
+							((dump == -1 || dump > os->length)?os->length:dump),
 							os->length)?os->length:dump),
 							dump_indent) <= 0)
 							goto end;
 						nl=1;
 						}
 					}
 				if (os != NULL)
 					{
 					M_ASN1_OCTET_STRING_free(os);
 					os=NULL;
 					}
--- a/crypto/asn1/d2i_pr.c
+++ b/crypto/asn1/d2i_pr.c
@@ -68,9 +68,6 @@
 #ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
 #endif
 #ifndef OPENSSL_NO_ECDSA
 #include <openssl/ecdsa.h>
 #endif
 EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, unsigned char **pp,
 	     long length)
@@ -110,16 +107,6 @@ EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, unsigned char **pp,
 			goto err;
 			}
 		break;
 #endif
 #ifndef OPENSSL_NO_ECDSA
 	case EVP_PKEY_ECDSA:
 		if ((ret->pkey.ecdsa = d2i_ECDSAPrivateKey(NULL, 
 			(const unsigned char **)pp, length)) == NULL)
 			{
 			ASN1err(ASN1_F_D2I_PRIVATEKEY, ERR_R_ASN1_LIB);
 			goto err;
 			}
 		break;
 #endif
 	default:
 		ASN1err(ASN1_F_D2I_PRIVATEKEY,ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE);
@@ -151,10 +138,7 @@ EVP_PKEY *d2i_AutoPrivateKey(EVP_PKEY **a, unsigned char **pp,
 	/* Since we only need to discern "traditional format" RSA and DSA
 	 * keys we can just count the elements.
         */
-	if(sk_ASN1_TYPE_num(inkey) == 6) 
+	if(sk_ASN1_TYPE_num(inkey) == 6) keytype = EVP_PKEY_DSA;
 		keytype = EVP_PKEY_DSA;
 	else if (sk_ASN1_TYPE_num(inkey) == 4)
 		keytype = EVP_PKEY_ECDSA;
 	else keytype = EVP_PKEY_RSA;
 	sk_ASN1_TYPE_pop_free(inkey, ASN1_TYPE_free);
 	return d2i_PrivateKey(keytype, a, pp, length);
--- a/crypto/asn1/d2i_pu.c
+++ b/crypto/asn1/d2i_pu.c
@@ -68,9 +68,6 @@
 #ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
 #endif
 #ifndef OPENSSL_NO_ECDSA
 #include <openssl/ecdsa.h>
 #endif
 EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **a, unsigned char **pp,
 	     long length)
@@ -103,23 +100,13 @@ EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **a, unsigned char **pp,
 #endif
 #ifndef OPENSSL_NO_DSA
 	case EVP_PKEY_DSA:
-		if ((ret->pkey.dsa=d2i_DSAPublicKey(&(ret->pkey.dsa),
+		if ((ret->pkey.dsa=d2i_DSAPublicKey(NULL,
 			(const unsigned char **)pp,length)) == NULL) /* TMP UGLY CAST */
 			{
 			ASN1err(ASN1_F_D2I_PUBLICKEY,ERR_R_ASN1_LIB);
 			goto err;
 			}
 		break;
 #endif
 #ifndef OPENSSL_NO_ECDSA
 	case EVP_PKEY_ECDSA:
 		if ((ret->pkey.ecdsa = ECDSAPublicKey_set_octet_string(&(ret->pkey.ecdsa), 
 			(const unsigned char **)pp, length)) == NULL)
 			{
 			ASN1err(ASN1_F_D2I_PUBLICKEY, ERR_R_ASN1_LIB);
 			goto err;
 			}
 	break;
 #endif
 	default:
 		ASN1err(ASN1_F_D2I_PUBLICKEY,ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE);
--- a/crypto/asn1/f_int.c
+++ b/crypto/asn1/f_int.c
@@ -169,8 +169,7 @@ int a2i_ASN1_INTEGER(BIO *bp, ASN1_INTEGER *bs, char *buf, int size)
 				sp=(unsigned char *)OPENSSL_malloc(
 					(unsigned int)num+i*2);
 			else
-				sp=(unsigned char *)OPENSSL_realloc(s,
+				sp=OPENSSL_realloc_clean(s,slen,num+i*2);
 					(unsigned int)num+i*2);
 			if (sp == NULL)
 				{
 				ASN1err(ASN1_F_A2I_ASN1_INTEGER,ERR_R_MALLOC_FAILURE);
--- a/crypto/asn1/i2d_pr.c
+++ b/crypto/asn1/i2d_pr.c
@@ -67,9 +67,6 @@
 #ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
 #endif
 #ifndef OPENSSL_NO_ECDSA
 #include <openssl/ecdsa.h>
 #endif
 int i2d_PrivateKey(EVP_PKEY *a, unsigned char **pp)
 	{
@@ -86,12 +83,6 @@ int i2d_PrivateKey(EVP_PKEY *a, unsigned char **pp)
 		return(i2d_DSAPrivateKey(a->pkey.dsa,pp));
 		}
 #endif
 #ifndef OPENSSL_NO_ECDSA
 	if (a->type == EVP_PKEY_ECDSA)
 		{
 		return(i2d_ECDSAPrivateKey(a->pkey.ecdsa, pp));
 		}
 #endif
 	ASN1err(ASN1_F_I2D_PRIVATEKEY,ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE);
 	return(-1);
--- a/crypto/asn1/i2d_pu.c
+++ b/crypto/asn1/i2d_pu.c
@@ -67,9 +67,6 @@
 #ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
 #endif
 #ifndef OPENSSL_NO_ECDSA
 #include <openssl/ecdsa.h>
 #endif
 int i2d_PublicKey(EVP_PKEY *a, unsigned char **pp)
 	{
@@ -82,10 +79,6 @@ int i2d_PublicKey(EVP_PKEY *a, unsigned char **pp)
 #ifndef OPENSSL_NO_DSA
 	case EVP_PKEY_DSA:
 		return(i2d_DSAPublicKey(a->pkey.dsa,pp));
 #endif
 #ifndef OPENSSL_NO_ECDSA
 	case EVP_PKEY_ECDSA:
 		return(ECDSAPublicKey_get_octet_string(a->pkey.ecdsa, pp));
 #endif
 	default:
 		ASN1err(ASN1_F_I2D_PUBLICKEY,ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE);
--- a/crypto/asn1/n_pkey.c
+++ b/crypto/asn1/n_pkey.c
@@ -187,7 +187,7 @@ int i2d_RSA_NET(const RSA *a, unsigned char **pp, int (*cb)(), int sgckey)
 	i2d_NETSCAPE_PKEY(pkey,&zz);
 	/* Wipe the private key encoding */
-	memset(pkey->private_key->data, 0, rsalen);
+	OPENSSL_cleanse(pkey->private_key->data, rsalen);
 	if (cb == NULL)
 		cb=EVP_read_pw_string;
@@ -206,7 +206,7 @@ int i2d_RSA_NET(const RSA *a, unsigned char **pp, int (*cb)(), int sgckey)
 	}
 	EVP_BytesToKey(EVP_rc4(),EVP_md5(),NULL,buf,i,1,key,NULL);
-	memset(buf,0,256);
+	OPENSSL_cleanse(buf,256);
 	/* Encrypt private key in place */
 	zz = enckey->enckey->digest->data;
@@ -294,7 +294,7 @@ static RSA *d2i_RSA_NET_2(RSA **a, ASN1_OCTET_STRING *os,
 	}
 	EVP_BytesToKey(EVP_rc4(),EVP_md5(),NULL,buf,i,1,key,NULL);
-	memset(buf,0,256);
+	OPENSSL_cleanse(buf,256);
 	EVP_CIPHER_CTX_init(&ctx);
 	EVP_DecryptInit_ex(&ctx,EVP_rc4(),NULL, key,NULL);
--- a/crypto/asn1/p8_pkey.c
+++ b/crypto/asn1/p8_pkey.c
@@ -68,8 +68,8 @@ static int pkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it)
 	if(operation == ASN1_OP_FREE_PRE) {
 		PKCS8_PRIV_KEY_INFO *key = (PKCS8_PRIV_KEY_INFO *)*pval;
 		if (key->pkey->value.octet_string)
-		memset(key->pkey->value.octet_string->data,
+		OPENSSL_cleanse(key->pkey->value.octet_string->data,
-				 0, key->pkey->value.octet_string->length);
+			key->pkey->value.octet_string->length);
 	}
 	return 1;
 }
--- a/crypto/asn1/t_crl.c
+++ b/crypto/asn1/t_crl.c
@@ -84,11 +84,11 @@ int X509_CRL_print_fp(FILE *fp, X509_CRL *x)
 int X509_CRL_print(BIO *out, X509_CRL *x)
 {
 	char buf[256];
 	STACK_OF(X509_REVOKED) *rev;
 	X509_REVOKED *r;
 	long l;
 	int i, n;
 	char *p;
 	BIO_printf(out, "Certificate Revocation List (CRL):\n");
 	l = X509_CRL_get_version(x);
@@ -96,8 +96,9 @@ int X509_CRL_print(BIO *out, X509_CRL *x)
 	i = OBJ_obj2nid(x->sig_alg->algorithm);
 	BIO_printf(out, "%8sSignature Algorithm: %s\n", "",
 				 (i == NID_undef) ? "NONE" : OBJ_nid2ln(i));
-	X509_NAME_oneline(X509_CRL_get_issuer(x),buf,256);
+	p=X509_NAME_oneline(X509_CRL_get_issuer(x),NULL,0);
-	BIO_printf(out,"%8sIssuer: %s\n","",buf);
+	BIO_printf(out,"%8sIssuer: %s\n","",p);
 	OPENSSL_free(p);
 	BIO_printf(out,"%8sLast Update: ","");
 	ASN1_TIME_print(out,X509_CRL_get_lastUpdate(x));
 	BIO_printf(out,"\n%8sNext Update: ","");
--- a/crypto/asn1/t_pkey.c
+++ b/crypto/asn1/t_pkey.c
@@ -58,7 +58,6 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/objects.h>
 #include <openssl/buffer.h>
 #include <openssl/bn.h>
 #ifndef OPENSSL_NO_RSA
@@ -70,9 +69,6 @@
 #ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
 #endif
 #ifndef OPENSSL_NO_ECDSA
 #include <openssl/ecdsa.h>
 #endif
 static int print(BIO *fp,const char *str,BIGNUM *num,
 		unsigned char *buf,int off);
@@ -134,14 +130,10 @@ int RSA_print(BIO *bp, const RSA *x, int off)
 		goto err;
 		}
 	if (off)
 		{
 		if (off > 128) off=128;
 		memset(str,' ',off);
 		}
 	if (x->d != NULL)
 		{
-		if (off && (BIO_write(bp,str,off) <= 0)) goto err;
+		if(!BIO_indent(bp,off,128))
 		   goto err;
 		if (BIO_printf(bp,"Private-Key: (%d bit)\n",BN_num_bits(x->n))
 			<= 0) goto err;
 		}
@@ -187,7 +179,6 @@ int DSA_print_fp(FILE *fp, const DSA *x, int off)
 int DSA_print(BIO *bp, const DSA *x, int off)
 	{
 	char str[128];
 	unsigned char *m=NULL;
 	int ret=0;
 	size_t buf_len=0,i;
@@ -214,14 +205,10 @@ int DSA_print(BIO *bp, const DSA *x, int off)
 		goto err;
 		}
 	if (off)
 		{
 		if (off > 128) off=128;
 		memset(str,' ',off);
 		}
 	if (x->priv_key != NULL)
 		{
-		if (off && (BIO_write(bp,str,off) <= 0)) goto err;
+		if(!BIO_indent(bp,off,128))
 		   goto err;
 		if (BIO_printf(bp,"Private-Key: (%d bit)\n",BN_num_bits(x->p))
 			<= 0) goto err;
 		}
@@ -240,308 +227,16 @@ err:
 	}
 #endif /* !OPENSSL_NO_DSA */
 #ifndef OPENSSL_NO_EC
 #ifndef OPENSSL_NO_FP_API
 int ECPKParameters_print_fp(FILE *fp, const EC_GROUP *x, int off)
 	{
 	BIO *b;
 	int ret;
 	if ((b=BIO_new(BIO_s_file())) == NULL)
 		{
 		ECerr(EC_F_ECPKPARAMETERS_PRINT_FP,ERR_R_BUF_LIB);
 		return(0);
 		}
 	BIO_set_fp(b, fp, BIO_NOCLOSE);
 	ret = ECPKParameters_print(b, x, off);
 	BIO_free(b);
 	return(ret);
 	}
 #endif
 int ECPKParameters_print(BIO *bp, const EC_GROUP *x, int off)
 	{
 	char str[128];
 	unsigned char *buffer=NULL;
 	size_t	buf_len=0, i;
 	int     ret=0, reason=ERR_R_BIO_LIB;
 	BN_CTX  *ctx=NULL;
 	EC_POINT *point=NULL;
 	BIGNUM	*p=NULL, *a=NULL, *b=NULL, *gen=NULL,
 		*order=NULL, *cofactor=NULL, *seed=NULL;
 	static const char *gen_compressed = "Generator (compressed):";
 	static const char *gen_uncompressed = "Generator (uncompressed):";
 	static const char *gen_hybrid = "Generator (hybrid):";
 	if (!x)
 		{
 		reason = ERR_R_PASSED_NULL_PARAMETER;
 		goto err;
 		}
 	if (EC_GROUP_get_asn1_flag(x))
 		{
 		/* the curve parameter are given by an asn1 OID */
 		int nid;
 		if (off)
 			{
 			if (off > 128)
 				off=128;
 			memset(str, ' ', off);
 			if (BIO_write(bp, str, off) <= 0)
 				goto err;
 			}
 		nid = EC_GROUP_get_nid(x);
 		if (nid == 0)
 			goto err;
 		if (BIO_printf(bp, "ASN1 OID: %s", OBJ_nid2sn(nid)) <= 0)
 			goto err;
 		if (BIO_printf(bp, "\n") <= 0)
 			goto err;
 		}
 	else
 		{
 		/* explicit parameters */
 		/* TODO */
 		point_conversion_form_t form;
 		if ((p = BN_new()) == NULL || (a = BN_new()) == NULL ||
 			(b = BN_new()) == NULL || (order = BN_new()) == NULL ||
 			(cofactor = BN_new()) == NULL)
 			{
 			reason = ERR_R_MALLOC_FAILURE;
 			goto err;
 			}
 		if (!EC_GROUP_get_curve_GFp(x, p, a, b, ctx))
 			{
 			reason = ERR_R_EC_LIB;
 			goto err;
 			}
 		if ((point = EC_GROUP_get0_generator(x)) == NULL)
 			{
 			reason = ERR_R_EC_LIB;
 			goto err;
 			}
 		if (!EC_GROUP_get_order(x, order, NULL) || 
            		!EC_GROUP_get_cofactor(x, cofactor, NULL))
 			{
 			reason = ERR_R_EC_LIB;
 			goto err;
 			}
 		form = EC_GROUP_get_point_conversion_form(x);
 		if ((gen = EC_POINT_point2bn(x, point, 
 				form, NULL, ctx)) == NULL)
 			{
 			reason = ERR_R_EC_LIB;
 			goto err;
 			}
 		buf_len = (size_t)BN_num_bytes(p);
 		if (buf_len < (i = (size_t)BN_num_bytes(a)))
 			buf_len = i;
 		if (buf_len < (i = (size_t)BN_num_bytes(b)))
 			buf_len = i;
 		if (buf_len < (i = (size_t)BN_num_bytes(gen)))
 			buf_len = i;
 		if (buf_len < (i = (size_t)BN_num_bytes(order)))
 			buf_len = i;
 		if (buf_len < (i = (size_t)BN_num_bytes(cofactor))) 
 			buf_len = i;
 		if (EC_GROUP_get0_seed(x))
 			{
 			seed = BN_bin2bn(EC_GROUP_get0_seed(x),
 				EC_GROUP_get_seed_len(x), NULL);
 			if (seed == NULL)
 				{
 				reason = ERR_R_BN_LIB;
 				goto err;
 				}
 			if (buf_len < (i = (size_t)BN_num_bytes(seed))) 
 				buf_len = i;
 			}
 		buf_len += 10;
 		if ((buffer = OPENSSL_malloc(buf_len)) == NULL)
 			{
 			reason = ERR_R_MALLOC_FAILURE;
 			goto err;
 			}
 		if (off)
 			{
 			if (off > 128) off=128;
 			memset(str,' ',off);
 			}
 		if ((p != NULL) && !print(bp, "P:   ", p, buffer, off)) 
 			goto err;
 		if ((a != NULL) && !print(bp, "A:   ", a, buffer, off)) 
 			goto err;
 		if ((b != NULL) && !print(bp, "B:   ", b, buffer, off))
 			goto err;
 		if (form == POINT_CONVERSION_COMPRESSED)
 			{
 			if ((gen != NULL) && !print(bp, gen_compressed, gen,
 				buffer, off))
 				goto err;
 			}
 		else if (form == POINT_CONVERSION_UNCOMPRESSED)
 			{
 			if ((gen != NULL) && !print(bp, gen_uncompressed, gen,
 				buffer, off))
 				goto err;
 			}
 		else /* form == POINT_CONVERSION_HYBRID */
 			{
 			if ((gen != NULL) && !print(bp, gen_hybrid, gen,
 				buffer, off))
 				goto err;
 			}
 		if ((order != NULL) && !print(bp, "Order: ", order, 
 			buffer, off)) goto err;
 		if ((cofactor != NULL) && !print(bp, "Cofactor: ", cofactor, 
 			buffer, off)) goto err;
 		if ((seed != NULL) && !print(bp, "Seed:", seed, 
 			buffer, off)) goto err;
 		}
 	ret=1;
 err:
 	if (!ret)
 		ECerr(EC_F_ECPKPARAMETERS_PRINT, reason);
 	if (p) 
 		BN_free(p);
 	if (a) 
 		BN_free(a);
 	if (b)
 		BN_free(b);
 	if (gen)
 		BN_free(gen);
 	if (order)
 		BN_free(order);
 	if (cofactor)
 		BN_free(cofactor);
 	if (seed) 
 		BN_free(seed);
 	if (ctx)
 		BN_CTX_free(ctx);
 	if (buffer != NULL) 
 		OPENSSL_free(buffer);
 	return(ret);	
 	}
 #endif /* OPENSSL_NO_EC */
 #ifndef OPENSSL_NO_ECDSA
 #ifndef OPENSSL_NO_FP_API
 int ECDSA_print_fp(FILE *fp, const ECDSA *x, int off)
 {
 	BIO *b;
 	int ret;
 	if ((b=BIO_new(BIO_s_file())) == NULL)
 	{
 		ECDSAerr(ECDSA_F_ECDSA_PRINT_FP, ERR_R_BIO_LIB);
 		return(0);
 	}
 	BIO_set_fp(b, fp, BIO_NOCLOSE);
 	ret = ECDSA_print(b, x, off);
 	BIO_free(b);
 	return(ret);
 }
 #endif
 int ECDSA_print(BIO *bp, const ECDSA *x, int off)
 	{
 	char str[128];
 	unsigned char *buffer=NULL;
 	size_t	buf_len=0, i;
 	int     ret=0, reason=ERR_R_BIO_LIB;
 	BIGNUM  *pub_key=NULL;
 	BN_CTX  *ctx=NULL;
 	if (!x || !x->group)
 		{
 		reason = ERR_R_PASSED_NULL_PARAMETER;
 		goto err;
 		}
 	if ((pub_key = EC_POINT_point2bn(x->group, x->pub_key,
 		ECDSA_get_conversion_form(x), NULL, ctx)) == NULL)
 		{
 		reason = ERR_R_EC_LIB;
 		goto err;
 		}
 	buf_len = (size_t)BN_num_bytes(pub_key);
 	if (x->priv_key)
 		{
 		if ((i = (size_t)BN_num_bytes(x->priv_key)) > buf_len)
 			buf_len = i;
 		}
 	buf_len += 10;
 	if ((buffer = OPENSSL_malloc(buf_len)) == NULL)
 		{
 		reason = ERR_R_MALLOC_FAILURE;
 		goto err;
 		}
 	if (off)
 		{
 		if (off > 128) off=128;
 		memset(str,' ',off);
 		}
 	if (x->priv_key != NULL)
 		{
 		if (off && (BIO_write(bp, str, off) <= 0)) goto err;
 		if (BIO_printf(bp, "Private-Key: (%d bit)\n", 
 			BN_num_bits(x->priv_key)) <= 0) goto err;
 		}
 	if ((x->priv_key != NULL) && !print(bp, "priv:", x->priv_key, 
 		buffer, off))
 		goto err;
 	if ((pub_key != NULL) && !print(bp, "pub: ", pub_key,
 		buffer, off))
 		goto err;
 	if (!ECPKParameters_print(bp, x->group, off))
 		goto err;
 	ret=1;
 err:
 	if (!ret)
 		ECDSAerr(ECDSA_F_ECDSA_PRINT, reason);
 	if (pub_key) 
 		BN_free(pub_key);
 	if (ctx)
 		BN_CTX_free(ctx);
 	if (buffer != NULL)
 		OPENSSL_free(buffer);
 	return(ret);
 	}
 #endif
 static int print(BIO *bp, const char *number, BIGNUM *num, unsigned char *buf,
 	     int off)
 	{
 	int n,i;
 	char str[128];
 	const char *neg;
 	if (num == NULL) return(1);
 	neg=(num->neg)?"-":"";
-	if (off)
+	if(!BIO_indent(bp,off,128))
-		{
+		return 0;
 		if (off > 128) off=128;
 		memset(str,' ',off);
 		if (BIO_write(bp,str,off) <= 0) return(0);
 		}
 	if (BN_num_bytes(num) <= BN_BYTES)
 		{
@@ -565,9 +260,9 @@ static int print(BIO *bp, const char *number, BIGNUM *num, unsigned char *buf,
 			{
 			if ((i%15) == 0)
 				{
-				str[0]='\n';
+				if(BIO_puts(bp,"\n") <= 0
-				memset(&(str[1]),' ',off+4);
+				   || !BIO_indent(bp,off+4,128))
-				if (BIO_write(bp,str,off+1+4) <= 0) return(0);
+				    return 0;
 				}
 			if (BIO_printf(bp,"%02x%s",buf[i],((i+1) == n)?"":":")
 				<= 0) return(0);
@@ -690,59 +385,3 @@ err:
 #endif /* !OPENSSL_NO_DSA */
 #ifndef OPENSSL_NO_ECDSA
 #ifndef OPENSSL_NO_FP_API
 int ECDSAParameters_print_fp(FILE *fp, const ECDSA *x)
 	{
 	BIO *b;
 	int ret;
 	if ((b=BIO_new(BIO_s_file())) == NULL)
 	{
 		ECDSAerr(ECDSA_F_ECDSAPARAMETERS_PRINT_FP, ERR_R_BIO_LIB);
 		return(0);
 	}
 	BIO_set_fp(b, fp, BIO_NOCLOSE);
 	ret = ECDSAParameters_print(b, x);
 	BIO_free(b);
 	return(ret);
 	}
 #endif
 int ECDSAParameters_print(BIO *bp, const ECDSA *x)
 	{
 	int     reason=ERR_R_EC_LIB, ret=0;
 	BIGNUM	*order=NULL;
 	if (!x || !x->group)
 		{
 		reason = ERR_R_PASSED_NULL_PARAMETER;;
 		goto err;
 		}
 	if ((order = BN_new()) == NULL)
 		{
 		reason = ERR_R_MALLOC_FAILURE;
 		goto err;
 		}
 	if (!EC_GROUP_get_order(x->group, order, NULL))
 		{
 		reason = ERR_R_EC_LIB;
 		goto err;
 		}
 	if (BIO_printf(bp, "ECDSA-Parameters: (%d bit)\n", 
 		BN_num_bits(order)) <= 0)
 		goto err;
 	if (!ECPKParameters_print(bp, x->group, 4))
 		goto err;
 	ret=1;
 err:
 	if (order)
 		BN_free(order);
 	ECDSAerr(ECDSA_F_ECDSAPARAMETERS_PRINT, reason);
 	return(ret);
 	}
 #endif
--- a/crypto/asn1/t_req.c
+++ b/crypto/asn1/t_req.c
@@ -82,7 +82,7 @@ int X509_REQ_print_fp(FILE *fp, X509_REQ *x)
        }
 #endif
-int X509_REQ_print(BIO *bp, X509_REQ *x)
+int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags, unsigned long cflag)
 	{
 	unsigned long l;
 	int i;
@@ -91,34 +91,60 @@ int X509_REQ_print(BIO *bp, X509_REQ *x)
 	EVP_PKEY *pkey;
 	STACK_OF(X509_ATTRIBUTE) *sk;
 	STACK_OF(X509_EXTENSION) *exts;
-	char str[128];
+	char mlch = ' ';
 	int nmindent = 0;
 	if((nmflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) {
 		mlch = '\n';
 		nmindent = 12;
 	}
 	if(nmflags == X509_FLAG_COMPAT)
 		nmindent = 16;
 	ri=x->req_info;
-	sprintf(str,"Certificate Request:\n");
+	if(!(cflag & X509_FLAG_NO_HEADER))
-	if (BIO_puts(bp,str) <= 0) goto err;
+		{
-	sprintf(str,"%4sData:\n","");
+		if (BIO_write(bp,"Certificate Request:\n",21) <= 0) goto err;
-	if (BIO_puts(bp,str) <= 0) goto err;
+		if (BIO_write(bp,"    Data:\n",10) <= 0) goto err;
-
+		}
 	if(!(cflag & X509_FLAG_NO_VERSION))
 		{
 		neg=(ri->version->type == V_ASN1_NEG_INTEGER)?"-":"";
 		l=0;
 		for (i=0; i<ri->version->length; i++)
 			{ l<<=8; l+=ri->version->data[i]; }
-	sprintf(str,"%8sVersion: %s%lu (%s0x%lx)\n","",neg,l,neg,l);
+		if(BIO_printf(bp,"%8sVersion: %s%lu (%s0x%lx)\n","",neg,l,neg,
-	if (BIO_puts(bp,str) <= 0) goto err;
+			      l) <= 0)
-	sprintf(str,"%8sSubject: ","");
+		    goto err;
-	if (BIO_puts(bp,str) <= 0) goto err;
+		}
-
+        if(!(cflag & X509_FLAG_NO_SUBJECT))
-	X509_NAME_print(bp,ri->subject,16);
+                {
-	sprintf(str,"\n%8sSubject Public Key Info:\n","");
+                if (BIO_printf(bp,"        Subject:%c",mlch) <= 0) goto err;
-	if (BIO_puts(bp,str) <= 0) goto err;
+                if (X509_NAME_print_ex(bp,ri->subject,nmindent, nmflags) < 0) goto err;
-	i=OBJ_obj2nid(ri->pubkey->algor->algorithm);
+                if (BIO_write(bp,"\n",1) <= 0) goto err;
-	sprintf(str,"%12sPublic Key Algorithm: %s\n","",
+                }
-		(i == NID_undef)?"UNKNOWN":OBJ_nid2ln(i));
+	if(!(cflag & X509_FLAG_NO_PUBKEY))
-	if (BIO_puts(bp,str) <= 0) goto err;
+		{
 		if (BIO_write(bp,"        Subject Public Key Info:\n",33) <= 0)
 			goto err;
 		if (BIO_printf(bp,"%12sPublic Key Algorithm: ","") <= 0)
 			goto err;
 		if (i2a_ASN1_OBJECT(bp, ri->pubkey->algor->algorithm) <= 0)
 			goto err;
 		if (BIO_puts(bp, "\n") <= 0)
 			goto err;
 		pkey=X509_REQ_get_pubkey(x);
 		if (pkey == NULL)
 			{
 			BIO_printf(bp,"%12sUnable to load Public Key\n","");
 			ERR_print_errors(bp);
 			}
 		else
 #ifndef OPENSSL_NO_RSA
-	if (pkey != NULL && pkey->type == EVP_PKEY_RSA)
+		if (pkey->type == EVP_PKEY_RSA)
 			{
 			BIO_printf(bp,"%12sRSA Public Key: (%d bit)\n","",
 			BN_num_bits(pkey->pkey.rsa->n));
@@ -127,36 +153,29 @@ int X509_REQ_print(BIO *bp, X509_REQ *x)
 		else
 #endif
 #ifndef OPENSSL_NO_DSA
-		if (pkey != NULL && pkey->type == EVP_PKEY_DSA)
+		if (pkey->type == EVP_PKEY_DSA)
 			{
 			BIO_printf(bp,"%12sDSA Public Key:\n","");
 			DSA_print(bp,pkey->pkey.dsa,16);
 			}
 		else
 #endif
 #ifndef OPENSSL_NO_ECDSA
 		if (pkey != NULL && pkey->type == EVP_PKEY_ECDSA)
 		{
 			BIO_printf(bp, "%12sECDSA Public Key: \n","");
 			ECDSA_print(bp, pkey->pkey.ecdsa, 16);
 		}
 	else
 #endif
 			BIO_printf(bp,"%12sUnknown Public Key:\n","");
 	if (pkey != NULL)
 		EVP_PKEY_free(pkey);
 		}
 	if(!(cflag & X509_FLAG_NO_ATTRIBUTES))
 		{
 		/* may not be */
-	sprintf(str,"%8sAttributes:\n","");
+		if(BIO_printf(bp,"%8sAttributes:\n","") <= 0)
-	if (BIO_puts(bp,str) <= 0) goto err;
+		    goto err;
 		sk=x->req_info->attributes;
 		if (sk_X509_ATTRIBUTE_num(sk) == 0)
 			{
-		sprintf(str,"%12sa0:00\n","");
+			if(BIO_printf(bp,"%12sa0:00\n","") <= 0)
-		if (BIO_puts(bp,str) <= 0) goto err;
+			    goto err;
 			}
 		else
 			{
@@ -171,8 +190,8 @@ int X509_REQ_print(BIO *bp, X509_REQ *x)
 				a=sk_X509_ATTRIBUTE_value(sk,i);
 				if(X509_REQ_extension_nid(OBJ_obj2nid(a->object)))
 									continue;
-			sprintf(str,"%12s","");
+				if(BIO_printf(bp,"%12s","") <= 0)
-			if (BIO_puts(bp,str) <= 0) goto err;
+				    goto err;
 				if ((j=i2a_ASN1_OBJECT(bp,a->object)) > 0)
 				{
 				if (a->single)
@@ -210,11 +229,15 @@ get_next:
 				if (++ii < count) goto get_next;
 				}
 			}
-
+		}
 	if(!(cflag & X509_FLAG_NO_ATTRIBUTES))
 		{
 		exts = X509_REQ_get_extensions(x);
-	if(exts) {
+		if(exts)
 			{
 			BIO_printf(bp,"%8sRequested Extensions:\n","");
-		for (i=0; i<sk_X509_EXTENSION_num(exts); i++) {
+			for (i=0; i<sk_X509_EXTENSION_num(exts); i++)
 				{
 				ASN1_OBJECT *obj;
 				X509_EXTENSION *ex;
 				int j;
@@ -225,7 +248,8 @@ get_next:
 				j=X509_EXTENSION_get_critical(ex);
 				if (BIO_printf(bp,": %s\n",j?"critical":"","") <= 0)
 					goto err;
-			if(!X509V3_EXT_print(bp, ex, 0, 16)) {
+				if(!X509V3_EXT_print(bp, ex, 0, 16))
 					{
 					BIO_printf(bp, "%16s", "");
 					M_ASN1_OCTET_STRING_print(bp,ex->value);
 					}
@@ -233,11 +257,20 @@ get_next:
 				}
 			sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
 			}
 		}
 	if(!(cflag & X509_FLAG_NO_SIGDUMP))
 		{
 		if(!X509_signature_print(bp, x->sig_alg, x->signature)) goto err;
 		}
 	return(1);
 err:
 	X509err(X509_F_X509_REQ_PRINT,ERR_R_BUF_LIB);
 	return(0);
 	}
 int X509_REQ_print(BIO *bp, X509_REQ *x)
 	{
 	return X509_REQ_print_ex(bp, x, XN_FLAG_COMPAT, X509_FLAG_COMPAT);
 	}
--- a/Show More
+++ b/Show More